Ghostscript, an open-source interpreter for PostScript language and PDF files widely used in Linux, has been found vulnerable to a critical-severity remote code execution flaw.
The flaw is tracked as CVE-2023-36664, having a CVSS v3 rating of 9.8, and impacts all versions of Ghostscript before 10.01.2, which is the latest available version released three weeks ago.
According to Kroll's analysts, G. Glass and D. Truman, who developed a proof of concept (PoC) exploit for the vulnerability, code execution can be triggered upon opening a malicious, specially-crafted file.
Considering that Ghostscript is installed by default in numerous Linux distributions and used by software such as LibreOffice, GIMP, Inkscape, Scribus, ImageMagick, and the CUPS printing system, opportunities to trigger CVE-2023-36664 are abundant in most cases.
Kroll also comments that the problem affects open-source apps on Windows, too, if those use a port of Ghostscript.
The Ghostscript flaw
The CVE-2023-36664 flaw is related to OS pipes, which allow different applications to exchange data by passing outputs from one as inputs to another.
The issue arises from the "gp_file_name_reduce()" function in Ghostscript, which appears to take multiple paths and combines and simplifies them by removing relative path references for efficiency.
However, if a specially crafted path is given to the vulnerable function, it could return unexpected results, leading to overriding the validation mechanisms and potential exploitation.
Additionally, when Ghostscript attempts to open a file, it uses another function called "gp_validate_path" to check if its location is safe.
However, since the vulnerable function changes the location details before that second function's check, it's trivial for an attacker to exploit the loophole and force Ghostscript to deal with files in locations that should be off-limits.
Kroll's analysts created a PoC that is triggered by opening an EPS (Embedded Postscript) file on any application using Ghostscript.
In the following demonstration video, the researchers showcase the exploit in Inkscape on Windows, performing actions such as opening the calculator or displaying dialogs to the user.
It is recommended that Linux users upgrade to the latest version of Ghostscript, 10.01.2, using their distribution's package manager.
If the latest Ghostscript has not been made available yet on your distribution's software channels, it is recommended to compile it from the source code.
Unfortunately, open-source software on Windows that use ports of Ghostscript will naturally require more time to move to the latest version of the tool. Hence extra caution is advised with installs in Windows.
To help detect CVE-2023-36664, Kroll has shared Sigma rules on this GitHub repository.
Comments
h_b_s - 9 months ago
I think it's worth mentioning that there's likely other RCEs in Ghostscript, as it is an interpreter in its own right. Both postscript (PS) and portable document format (PDF) are computer languages with some very dubious features from a security stand point. Any document viewer or printer capable of displaying them is necessarily going to be an interpreter. By definition interpreters execute computer code.
JohnC_21 - 9 months ago
Per the CVE:
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
So does this mean 10.01.2 is also affected?
Per Debian dated Jul 3 2023
https://www.debian.org/security/2023/dsa-5446
For the oldstable distribution (bullseye), this problem has been fixed in version 9.53.3~dfsg-7+deb11u5.
For the stable distribution (bookworm), this problem has been fixed in version 10.0.0~dfsg-11+deb12u1.