Linux Detection Opportunities for CVE-2024-29510
Overview
A remote code execution (RCE) vulnerability in the Ghostscript document conversion toolkit, identified as CVE-2024–29510, is currently being exploited in the wild. Ghostscript, which comes pre-installed on many Linux distributions, is used by various popular software such as ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system. This format string vulnerability affects all Ghostscript versions 10.03.0 and earlier, allowing attackers to escape the -dSAFER sandbox and perform high-risk operations like command execution and file I/O. The vulnerability is particularly dangerous for web applications and services offering document conversion and preview functionalities. It also opens new opportunities for attackers to attempt Phishing due to its use within LibreOffice documents.
Windows systems contain a multitude of logging and detection capabilities, but what happens when a major vulnerability affects Linux systems? Things get much trickier to detect and report on. Luckily there are things that can be used. The primary ones we are going to cover in this blog are using auditd and sysmonforlinux to identify this Ghostscript activity on an Ubuntu 22.04 server.
Auditd
Auditd is essential for tracking and logging security-relevant information on a Linux system. It collects a wide range of system events, such as file access, system calls, and user actions, enabling real-time monitoring to swiftly detect and respond to suspicious activities. With customizable rules, users can focus on specific types of events. The main daemon, auditd, receives event data from the kernel and writes it to disk, supported by tools like auditctl for configuration, aureport for generating summary reports, and ausearch for searching audit log files.
In our lab, we used a set of auditd rules compiled by Florian Roth.
Sysmonforlinux
Sysmon is pretty well known in Windows spaces, but it has a version for Linux as well. Sysmon for Linux is a tool that monitors and logs system activity including process lifetime, network connections, file system writes, and more. Sysmon works across reboots and uses advanced filtering to help identify malicious activity as well as how intruders and malware operate on your network. Sysmon for Linux is part of Sysinternals. The beauty is your normal Sysmon config will work with Sysmon for Linux without needing many (if any) changes.
Ghostscript RCE via CommandLine
When document conversion tools utilize Ghostscript on the backend, the file is going to be passed to the gs binary, usually involving the -dSAFER argument. This option is commonly used when processing files from untrusted or unknown sources, ensuring that the execution environment is secure.
Key Features of -dSAFER:
Restricts File System Access:
Prevents operations that can read or write to the file system. This helps to protect against unauthorized access or modification of files on the system.
Limits Command Execution:
Disables the execution of potentially dangerous PostScript commands. This includes commands that can alter the state of the system or execute shell commands.
Protects Against Unsafe Operations:
Ensures that only safe and essential operations are allowed during the processing of the file. This helps to prevent security vulnerabilities that could be exploited by crafted PostScript or PDF files.
To test this vulnerability, we utilized a Proof of Concept created by Codean Labs. You can find it here. It spawns the gnome-calculator upon successful execution, but could easily be changed to execute anything. One thing to note is that telemetry in Linux is slightly different than in Windows. The chain between processes is a little trickier and not as straightforward. For more details into the intricacy of these differences, check out an awesome write-up by RedCanary
When looking at the process graph we can see our ghostscript exploitation fairly clearly.
Digging deeper into the Sysmon log for the initial execution of ghostscript we can see all our command line arguments as well as the fact that it was spawned via the command line based on its ParentImage.
EventID: 1
EventRecordID: 2359
Execution_ProcessID: 953
Execution_ThreadID: 953
UtcTime: 2024-07-15 15:11:35.640
ProcessGuid: {ec227f46-3c27-6695-3dd0-a5e332560000}
ProcessId: 21108
Image: /usr/bin/gs
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: /usr/bin/gs -dSAFER -dBATCH -dNODISPLAY CVE-2024-29510_poc_calc.eps
CurrentDirectory: /home/ubuntu
User: ubuntu
LogonGuid: {ec227f46-0000-0000-e803-000004000000}
LogonId: 1000
TerminalSessionId: 2
IntegrityLevel: no level
ParentProcessGuid: {ec227f46-3bd7-6695-0d2f-86f263550000}
ParentProcessId: 20829
ParentImage: /usr/bin/bash
ParentCommandLine: bash
ParentUser: ubuntu
This execution spawns a child event for a dash process that will contain the follow-on actions the attacker is executing via exploitation.
EventID: 1
EventRecordID: 2362
Execution_ProcessID: 953
Execution_ThreadID: 953
Channel: Linux-Sysmon/Operational
Computer: ip-10-0-254-193
Security_UserId: 0
RuleName: -
UtcTime: 2024-07-15 15:11:36.133
ProcessGuid: {ec227f46-3c28-6695-95e9-da1680550000}
ProcessId: 21109
Image: /usr/bin/dash
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: sh -c gnome-calculator
CurrentDirectory: /home/ubuntu
User: ubuntu
LogonGuid: {ec227f46-0000-0000-e803-000004000000}
LogonId: 1000
TerminalSessionId: 2
IntegrityLevel: no level
ParentProcessGuid: {ec227f46-3c27-6695-3dd0-a5e332560000}
ParentProcessId: 21108
ParentImage: /usr/bin/gs
ParentCommandLine: /usr/bin/gs
ParentUser: ubuntu
This gives us a fairly decent detection opportunity already since ghostscript itself should not be spawning new child shell processes when doing document handling.
This activity looks a little different in auditd. Looking at the SYSCALL events we can see the equivalent logs. We can start this time by identifying our suspicious shell with /usr/bin/dash executing sh.
type=SYSCALL msg=audit(1721056296.127:31873): arch=c000003e syscall=59 success=yes exit=0 a0=7f09dac69678 a1=7ffe573151b0 a2=7ffe57317b28 a3=8 items=2 ppid=21108 pid=21109 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=2 comm="sh" exe="/usr/bin/dash" subj=unconfined key="susp_shell"
Matching that parent process id, we can find the spawning process which is ghostscript (/usr/bin/gs)
type=SYSCALL msg=audit(1721056301.262:31911): arch=c000003e syscall=87 success=yes exit=0 a0=5632e55c93c0 a1=5632e55c93c0 a2=0 a3=50 items=2 ppid=20829 pid=21108 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=2 comm="gs" exe="/usr/bin/gs" subj=unconfined key="delete"
You will also see a EXECVE log for the shell command. Matching this to the other events is tricky and the best option is to do some time analysis to identify possible malicious activity based on the commands executed around it.
type=EXECVE
msg=audit(1721056296.127:31873):
argc=3
a0="sh"
a1="-c"
a2="gnome-calculator"
Here is a simple Splunk query to help identify the auditd events for this vulnerability:
sourcetype="auditd_linux" (comm="gs" AND exe="/usr/bin/gs") OR (comm="sh" AND exe="/usr/bin/dash")
| transaction ppid pid
| table _time ppid pid comm exe
For more information and details check out our full threat captures and detections in CVE-2024–29510
Exploitation via LibreOffice
This vulnerability also opens up a new avenue for phishing. When displaying embedded PostScript or PDF content within LibreOffice documents, Ghostscript renders the content. This enables an attacker to send a malicious document to a user that executes CVE-2024–29510 when it is opened.
The process chain for this exploitation looks a little different but mostly contains the same artifacts.
Here we see the ghostscript binary spawning a shell similar to the command line execution. Looking at the Sysmon log for the dash event it is nearly identical to the command line execution.
EventID: 1
EventRecordID: 418
Execution_ProcessID: 933
Execution_ThreadID: 933
Channel: Linux-Sysmon/Operational
Computer: ip-10-0-255-129
Security_UserId: 0
RuleName: -
UtcTime: 2024-07-09 16:07:10.331
ProcessGuid: {ec227f46-602e-668d-95c9-df5a04560000}
ProcessId: 21397
Image: /usr/bin/dash
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: sh -c gnome-calculator
CurrentDirectory: /home/ubuntu
User: ubuntu
LogonGuid: {ec227f46-0000-0000-e803-000000000000}
LogonId: 1000
TerminalSessionId: 2
IntegrityLevel: no level
Hashes:
ParentProcessGuid: {ec227f46-602d-668d-3d70-edb717560000}
ParentProcessId: 21393
ParentImage: /usr/local/bin/gs
ParentCommandLine: /usr/local/bin/gs
ParentUser: ubuntu
Looking at some Interprocess Communication events within auditd logs offers another interesting insight into the attack. The subj field will contain the full child process chain from libreoffice all the way to the gnome-calculator execution.
type=SYSCALL msg=audit(1720541230.642:18780): arch=c000003e syscall=29 success=yes exit=65544 a0=0 a1=1000 a2=380 a3=0 items=0 ppid=21397 pid=21398 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="gnome-calculato" exe="/usr/bin/gnome-calculator" subj=libreoffice-soffice//null-/usr/local/bin/gs//null-/usr/bin/dash//null-/usr/bin/gnome-calculator key="Inter-Process_Communication"
For more information and details check out our full threat captures and detections in Collection: CVE-2024–29510
MITRE
T1059 — Command and Scripting Interpreter:
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1203 — Exploitation for Client Execution:
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1566 — Phishing
Adversaries may send phishing messages to gain access to victim systems.
T1204.002 — User Execution: Malicious File
An adversary may rely upon a user opening a malicious file in order to gain execution.
Conclusion
In conclusion, the CVE-2024–29510 vulnerability in Ghostscript highlights the ongoing challenge of securing widely used software against sophisticated exploits. This format string vulnerability, which allows attackers to bypass the -dSAFER sandbox and execute arbitrary commands, underscores the critical need for timely patching and robust monitoring. Utilizing tools like auditd and sysmonforlinux on Linux systems can significantly enhance detection capabilities, helping to identify and respond to malicious activities swiftly. For more information, detections, and captured attacks, check out our collection focused on CVE-2024-29510.
For more technical details on the inner workings of the exploit check out this amazing write-up by Codean Labs.
SnapAttack is the threat hunting, detection engineering, and detection validation platform for proactive threat-informed defense. Register for a FREE community account to access the tons of content included in this blog post, as well as thousands of other community detections. Subscribers also get advanced features like a no-code detection builder, one-click deployments to leading SIEMs and EDRs like Chronicle, Sentinel, Splunk, CrowdStrike and SentinelOne, advanced threat profiles to prioritize relevant threats, and customized reports that track MITRE ATT&CK coverage and more!
References
- SnapAttack
- CVE-2024-29510 – Exploiting Ghostscript using format strings – Codean Labs
- GitHub – Neo23x0/auditd: Best Practice Auditd Configuration
- GitHub – Sysinternals/SysmonForLinux
- Tuning auditd: high-performance Linux Auditing
- The detection engineer's guide to Linux – Red Canary
Linux Detection Opportunities for CVE-2024-29510 was originally published in SnapAttack on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from SnapAttack - Medium authored by Trenton Tait. Read the original post at: https://blog.snapattack.com/linux-detection-opportunities-for-cve-2024-29510-6a32e1f79950?source=rss----3bac186d1947---4
