Google Project Zero's security researcher has discovered a critical remote code execution (RCE) vulnerability in Ghostscript—an open source interpreter for Adobe Systems' PostScript and PDF page description languages.
Written entirely in C, Ghostscript is a package of software that runs on different platforms, including Windows, macOS, and a wide variety of Unix systems, offering software the ability to convert PostScript language files (or EPS) to many raster formats, such as PDF, XPS, PCL or PXL.
A lot of popular PDF and image editing software, including ImageMagick and GIMP, use Ghostscript library to parse the content and convert file formats.
Ghostscript suite includes a built-in -dSAFER sandbox protection option that handles untrusted documents, preventing unsafe or malicious PostScript operations from being executed.
However, Google Project Zero team researcher Tavis Ormandy discovered that Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
To exploit this vulnerability, all an attacker needs to do is sending a specially crafted malicious file (which could be a PDF, PS, EPS, or XPS) to a victim, which, if opened with an application leveraging vulnerable Ghostscript, could allow the attacker to completely take over the targeted system.
At the time of writing, Artifex Software, the maintainers of Ghostscript, have not released any patch to fix the vulnerability.
According to advisory released by US-CERT, applications like the ImageMagick image processing library, which uses Ghostscript by default to process PostScript content, are affected by the vulnerability.
Major Linux distributions including RedHat and Ubuntu have confirmed that they are also affected by this vulnerability, while the status for Arch Linux, CentOS, Debian, Dell, Apple, and others is still unknown.
Ormandy advised Linux distributions to disable the processing of PS, EPS, PDF, and XPS content until the issue is addressed.
Written entirely in C, Ghostscript is a package of software that runs on different platforms, including Windows, macOS, and a wide variety of Unix systems, offering software the ability to convert PostScript language files (or EPS) to many raster formats, such as PDF, XPS, PCL or PXL.
A lot of popular PDF and image editing software, including ImageMagick and GIMP, use Ghostscript library to parse the content and convert file formats.
Ghostscript suite includes a built-in -dSAFER sandbox protection option that handles untrusted documents, preventing unsafe or malicious PostScript operations from being executed.
However, Google Project Zero team researcher Tavis Ormandy discovered that Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which could allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
To exploit this vulnerability, all an attacker needs to do is sending a specially crafted malicious file (which could be a PDF, PS, EPS, or XPS) to a victim, which, if opened with an application leveraging vulnerable Ghostscript, could allow the attacker to completely take over the targeted system.
At the time of writing, Artifex Software, the maintainers of Ghostscript, have not released any patch to fix the vulnerability.
According to advisory released by US-CERT, applications like the ImageMagick image processing library, which uses Ghostscript by default to process PostScript content, are affected by the vulnerability.
Major Linux distributions including RedHat and Ubuntu have confirmed that they are also affected by this vulnerability, while the status for Arch Linux, CentOS, Debian, Dell, Apple, and others is still unknown.
Ormandy advised Linux distributions to disable the processing of PS, EPS, PDF, and XPS content until the issue is addressed.
"I *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default," Ormandy said.This is not the first time when Ormandy has discovered issues in Ghostscript. He found similar high severity vulnerabilities in Ghostscript in October 2016 and April last year (CVE-2017-8291), some of which were found actively exploited in the wild.