| <<<Back 1 day (to 2022/05/22) | Fwd 1 day (to 2022/05/24) >>> | 20220523 |
aformertransformer | This is the postscript I was talking about before. I think it's obfuscated. https://pastebin.com/HbFy3hGg | 15:57.33 |
| We definitely weren't running the old version on purpose, we have it updated on almost everything. This was an orphaned asset that we didn't realize was still accessible from the itnernet. | 15:57.34 |
| I've been trying to make sense of it all weekend, ut I dont' have any postscript experience. I was able to decode this section: "(\345\362\362\357\362\344\351\343\364\240\257\345\370\345\343\366\345\240\263\240\262\240\362\357\354\354\240\360\365\364)" but that didn't make it any more clear for me. | 15:57.34 |
| obiously I don't expect anyone to spend time on this, just wasn't sure if it was easy to parse or not because I have no experience with ps | 15:58.17 |
artifexirc-bot | <KenSharp> No, that's not obfuscated particularly | 15:58.23 |
| <KenSharp> However it's clearly running a Perl script | 15:58.44 |
| <KenSharp> And I don't speak Perl | 15:58.50 |
aformertransformer | yeah, I know waht that part's doing I just have no idea how the PS was able to execute a shell command | 15:59.04 |
| that part is spawning a shell over the network. It allowed the attacker to get remote access to the app server it ran on | 16:00.03 |
artifexirc-bot | <KenSharp> Well the basic problem is that PostScript is a programming language. A full Turing-complete programming language | 16:00.21 |
| <KenSharp> So anything you might reasonably be able to do with, say, Perl you can also do with PostScript | 16:00.37 |
| <KenSharp> Ghostscript has some means to prevent 'dangerous' operations (ie anything involving the file system | 16:01.14 |
aformertransformer | -dSAFER? | 16:01.31 |
artifexirc-bot | <KenSharp> It looks to me like the code is pushing the script through a pipe | 16:01.36 |
| <KenSharp> -dSAFER is basically the protection, yes. | 16:01.49 |
| <KenSharp> Note that old versions of Ghostscript you had to turn that on manually and up until recently there were known ways to break it. | 16:02.18 |
aformertransformer | according to my stack trace gs did run with that flag, but I think this bypassed that using some vulnerability in the older version | 16:02.28 |
artifexirc-bot | <KenSharp> The current version of Ghostscript What version were you using ? | 16:02.44 |
aformertransformer | 9.26 | 16:02.50 |
artifexirc-bot | <KenSharp> The current version of the PDF interpreter (new this year) no longer uses a PostScript program to deal with PDF files. Since it does not run inside the PostScript interpreter it no longer runs PostScript inside PDF fiels. At all. | 16:03.27 |
| <KenSharp> Yes 9.26 is old and has known security problems. | 16:03.40 |
| <KenSharp> For real safety, instead of using Ghostscript to process PDF fiels, use GhostPDL. That doesn't even include a PostScript interpreter so it **can't** run PostScript | 16:04.16 |
| <KenSharp> Sorry that should be GhostPDF not GhostPDL | 16:04.33 |
| <KenSharp> It's the same as Ghostscript but it only handles PDF files. | 16:04.47 |
aformertransformer | gotcha. that's probably what we'll move to. Thanks for the help! | 16:06.12 |
artifexirc-bot | <KenSharp> FWIW the exploit is targeting the error handling | 16:06.26 |
aformertransformer | I saw that the encoded bit is doing something with errordict , is that what you mean? | 16:07.48 |
artifexirc-bot | <KenSharp> It's storing the Perl script as a specific error handler which gets run by the look of it | 16:08.04 |
| <KenSharp> Yes, it's storing stuff in the error handler | 16:08.20 |
aformertransformer | interesting | 16:09.55 |
artifexirc-bot | <KenSharp> It would take me a bit longer to divine exactly what it's up to but it looks like fundamentally it's just writing stuff to errordict which will get flushed out when a specific error occurs, then it provokes that error, causing the stored script to be sent to the system where it gets executed. | 16:11.25 |
| <KenSharp> I presume this doesn't cause you a problem when you use a reasonably up to date version of Ghostscript ? | 16:12.05 |
aformertransformer | based on my testing this specific ps only runs in 9.26. I tried on a more recent version and it didn't run | 16:12.47 |
artifexirc-bot | <KenSharp> Yeah well I'm not going to worry about it then 🙂 | 16:13.10 |
aformertransformer | not sure if the code could be modified to work on newer versions but this code doesn't | 16:13.10 |
artifexirc-bot | <KenSharp> Shouldn't be possible I don't think | 16:13.25 |
aformertransformer | I agree. I think this is someone exploiting a very old known issue. Just our bad for having that version on a public facing asset *facepalm* | 16:14.05 |
| really appreciate the help! | 16:15.16 |
artifexirc-bot | <KenSharp> NP | 16:16.48 |
aformertransformer | in case you're interested I fo und this writeup that seems like it's explaining this exact vulnerability : https://www.exploit-db.com/exploits/45573 | 16:34.56 |
| <<<Back 1 day (to 2022/05/22) | Forward 1 day (to 2022/05/24)>>> | |