Unpatched vulnerability in GhostScript interpreter

[German]A major vulnerability in the GhostScript interpreter has just went public. There is no patch yet. The vulnerability may allow the victim’s machine to be taken over. Here is some information on this topic, since GhostScript is included in some products and is actually available on all operating systems.


Advertising

What is GhostScript?

GhostScript (GS) is a suite of software based on an interpreter for Adobe Systems’ PostScript and Portable Document Format(PDF) page description languages. Its main purposes are the rasterization or rendering of such page description language files, for the display or printing of document pages, and the conversion between PostScript and PDF files. GhostScript has been developed by Peter Deutsch (the commercial license is available at Artifed Software).  GS is available for Linux, Unix, VMS, Windows, macOS, Mac OS Classic, MSDOS, OS/2 etc. GS is included in many software products (I guess most of all PDF printers and editors, but also Gimp, ImageMagick etc.).

The vulnerability in GhostScript

Tavis Ormandy, , security researcher at Google Project Zero, has found a major vulnerability in Ghostscript and has now published details. There is already a thread from 2016, where other problems with the sandbox are described. Now some more vulnerabilities are coming up.

I found a few file disclosure, shell command execution, memory corruption and type confusion bugs. There was also one that was found exploited in the wild. There was also a similar widely exploited issue that could be exploited identically.

Besides a file disclosure bug, shell commands can be executed and memory errors can be exploited. To exploit the bug discovered by Ormandy, an attacker must send a corrupted PostScript, PDF, EPS or XPS file to a victim. As soon as the file is opened in the Ghostscript interpreter, the malicious code contained in the file can be executed on the target computer.

The vulnerability, which has not yet received a CVE identifier, allows an attacker to take over applications and servers that use vulnerable versions of Ghostscript. A fix is apparently not yet available – and it takes time for the update to find its way into the various software packages. This may also pose a problem on servers where users can upload and convert PDF documents..


Advertising

Ormandy suggests disabling the PS, EPS, PDF, and XPS encoders in the policy.xml file by default in [Software/Linux] distributions such as ImageMagic. Here is a sample for such a policy entry. Details can be found in the Chromium-Blog. Some information can also be found at Bleeping Computer.


Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *