Foomatic-RIP (CVE-2015-8560)
Just a quick writeup today, recently I uncovered an issue in the Foomatic-RIP package. The bug can be found within the “filter/foomatic-rip/util.c” source and is due to the whitelist used within the following line:
const char* shellescapes = "|&!$\'\"`#*?()[]{}";
This blacklist is used to sanitise characters that are later passed to the libc system() call.
It seems that this blacklist is missing the ; character, which means that if we can influence an argument passed to footmatic-rip which is later passed to a shell command, we can potentially execute arbitary arguments.
For example, on line 647 of “/filter/foomatic-rip/foomaticrip.c”, we find the following:
snprintf(pdf2ps_cmd, CMDLINE_MAX,
"gs -q -sstdout=%%stderr -sDEVICE=ps2write -sOutputFile=- "
"-dBATCH -dNOPAUSE -dPARANOIDSAFER -dNOINTERPOLATE %s 2>/dev/null || "
"pdftops -level2 -origpagesizes %s - 2>/dev/null",
filename, filename);
Controlling the “filename” paramter, if we name a file as follows:
test;ls;.pdf
..well, you get the picture :)