This Week In Security: Ghoscript In Imagemagick, Solarwinds, And DHCP Shenanigans

A PoC was just published for a potentially serious flaw in the Ghostscript interpreter. Ghostscript can load Postscript, PDF, and SVG, and it has a feature from Postscript that has been a continual security issue: the %pipe% command. This command requests the interpreter to spawn a new process — It’s RCE as part of the spec. This is obviously a problem for untrusted images and documents, and Ghostscript has fixed security vulnerabilities around this mis-feature several times over the years.

This particular vulnerability was discovered by [Emil Lerner], and described at ZeroNights X. That talk is available, but in Russian. The issue seems to be a bypass of sorts, where the pipe command appears to be working in the /tmp/ directory, but a simple semicolon allows for an arbitrary command to be executed. Now why is this a big deal? Because ImageMagick uses Ghostscript to open SVG images by default on some distributions, and ImageMagick is often used for automatically resizing and converting images for web sites. In [Emil]’s presentation, he uses this flaw as part of an attack chain against three different companies.

I was unable to reproduce the flaw on my Fedora install, but I haven’t found any notice of it being fixed in the Ghostscript or Imagemagick changelogs either. It’s unclear if this problem has already been fixed, or if this is a true 0-day for some platforms. Either way, expect attackers to start trying to make use of it.

SIP Client Slashed

CVE-2021-33056 is an oddball bug in the way SIP headers are parsed by the Linphone SIP client. Multiple header fields in a SIP packet are required to be valid URIs, and are expected to be SIP URIs — something like sip:alice@example.com. The problem is that there is a lot of flexibility in what is considered a valid URI. In this case, a single slash, “/”, is a valid URI. The code attempts to extract the scheme, and upon finding none, returns a NULL pointer. That pointer is then passed into the next function without being validated, causing the crash. Null pointer references are particularly difficult to turn into more than a simple DoS attack, and this seems to be no exception. The biggest challenge here is that the Linphone stack has made its way into various mobile and IoT clients.

Solarwinds Again

In the past few weeks, Solarwinds devices were hit with another 0-day attack, this one against the SSH service. Researchers from Microsoft determined that the primary attacker was an APT from China, and were able to recreate the attack. The main problem? Solarwinds rolled their own SSH server instead of using a mature solution like OpenSSH. Address Space Layout Randomization was turned off on that service, and an odd behavior was found. When running a fuzzing tool and watching the process with a debugger, the Microsoft researchers observed multiple exceptions that should have crashed the process. Instead, the exception was logged, an attempt made to clean up the damage, and the process continued on. While a successful RCE chain was found and fixed, it isn’t certain that this is the same chain that was used in the wild. Without major changes to this service, it should be assumed to still be vulnerable.

DHCP Tricks

What sorts of trouble could an attacker cause, if they controlled the DHCP responses sent to the router? It apparently depends on what services the router is providing, above and beyond routing. Researchers at Anvil Secure use the term “smart router”, meaning a device that’s doing something like serving files, hosting a VPN, or managing IP cameras. In that case, there are some strange edge cases that to be found when IP ranges collide.

Put simply, you can use a more specific DHCP range to route internal IPs out to an attacker on the WAN side of the router. This could be used to set up a MitM attack, and intercept file transfers or VPN traffic. While it’s interesting, the attack doesn’t work across the network, so impact is limited. This could be pulled off by an attacker that has taken over the modem, or attached hardware between the router and modem.

Overflow Enables Smuggling

Another clever approach to request smuggling was published this week, this one a vulnerability in HAProxy. CVE-2021-40346 is an integer overflow, triggered by a malicious header: Content-Length0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...: The actual attack has over 240 “a” characters there, bringing the total character count to 270. That header name is stored in a data structure that uses an 8-bit integer to track string length. As 270 is greater than the maximum of 256, the value overflows and is treated as length 14, which just happens to be the length of a valid-looking Content-Length. It just so happens that the next field in this data structure is the length for the value (The part after the colon). The overflow sets this to 1. While this is all stored as a possible header, the next line is actually a valid content-length header, and is immediately honored, causing the rest of the message to be read into memory.

POST /index.html HTTP/1.1
Host: abc.com
Content-Length0aaaa...:
Content-Length: 60

GET /admin/add_user.py HTTP/1.1
Host: abc.com
abc: xyz

Now that the packet has been loaded into memory, the next processing stage writes it out in a packet sent to the back-end. Here, the obviously invalid header is processed based on the manipulated length values, resulting a Content-Length: 0 header being set on the outgoing packet. The rest of the data is then appended to the same packet, which is the now-smuggled request. Once this single packet is received by the back-end, the content-length header is understood to mean that two separate messages are being sent in the same packet. And thus, the second request has been smuggled past the security controls on the front-end server.

OpenWRT Release

OpenWRT has just released 2021.02.0, a new major version based on the 5.4.143 LTS kernel. There are some notable new security features, including on-by-default WPA3 and SSL support, as well as ASLR for binaries. There is also now support for running SELinux, though this isn’t on by default. With the new features is the added downside that a wide range of older devices are no longer officially supported, due to higher system requirements. 8 MB of flash and 64 MB of ram are now the minimum required for full support.

3 thoughts on “This Week In Security: Ghoscript In Imagemagick, Solarwinds, And DHCP Shenanigans

  1. @Jonathan Bennett I wanted to post this real quick. Before I came here I just read a security bulletin from Debian claiming this was *JUST* fixed. So, yes, unless someone stripped Fedora’s package of GhostScript of unneeded features, its vulnerable. And I’ll stop the forthcoming rant before I get wound up. NUTS!!

  2. The %pipe% device (not a command; it can be used where a file name is expected) in PostScript is not really a misfeature (it is a feature I use myself; PostScript has no good FFI and this is one way to do something like it). However, it isn’t supposed to work in SAFER mode. Fortunately they have fixed that bug now (it is in their git repository, so in next version it would be fixed, I think) so that it won’t work in SAFER mode, now.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.