Unpatched Ghostscript Flaws Allow Remote Takeover of Systems

Researchers have uncovered vulnerabilities in the widely deployed Ghostscript package that allows bad actors to remotely take control of vulnerable systems. There’s no current patch available for the multiple flaws discovered.

Ghostscript is a suite of tools used by hundreds of software suites and coding libraries, which allows desktop software and web servers to handle Adobe Systems’ PostScript and PDF page description languages.

Multiple bypass vulnerabilities, disclosed Tuesday, exist in the suite’s optional -dSAFER feature, which is ironically supposed to prevent unsafe PostScript operations. By causing Ghostscript (or a program leveraging Ghostscript) to parse a specially-crafted malicious file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code.

“Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments,” according to a vulnerability note issued Tuesday by CERT. “This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick and GraphicsMagick.”

The exploit was discovered by Google Project Zero researcher Tavis Ormandy, who had previously discovered similar Ghostscript bugs (also existing in its ~dSAFER feature) in 2016.

“These bugs were found manually, I also wrote a fuzzer and I’m working on minimizing a very large number of testcases that I’m planning to report over the next few days,” he wrote in a description of the issue. “I will just file those issues upstream and not post each individual one here… I expect there to be several dozen unique bugs.”

Essentially, to exploit the vulnerabilities, an attacker would first need to send a specially-crafted PostScript, PDF,  Encapsulated Postscript Vector (EPS) or XML Paper Specification (XPS) file to a victim, containing malicious code. When the victim opens the file using an application with vulnerable software, the code in the file executes, according to CERT – enabling bad actors to execute arbitrary commands.

The exploit is problematic on multiple fronts: Not only can it be launched remotely, but the attacker wouldn’t need to be authenticated when launching the exploit. Making matters worse, there’s no patch being rolled out (as of Wednesday):  The CERT/CC is currently unaware of a practical solution to this problem, and the flaws do not yet even have a CVE number.

Artifex Software, the developers behind Ghostscript, did not reply to a request for comment from Threatpost.

Ghostscript is used pretty much everywhere and has been for a very long time, and several vendors, including ImageMagick, Red Hat and Ubuntu are impacted. Affected packages like GIMP (a Photoshop alternative) and ImageMagick (which is important for web applications) are prevalent to the point of being considered standard for the processing of PDF files.

It is unknown whether other users, such as Apple, Dell EMC and Arista Networks, are affected.

The vulnerabilities can have serious implications. “This exploit has the potential for file-system access leading to sensitive data leaks and more, [so] it can be the beachhead opportunity for a more comprehensive data breach,” Stephen Giguere, sales engineer at Synopsys, said in an email. “This Ghostscript exploit is a premium example of cascading dependencies on open-source software packages ,where the dependency of a core component may not be easily upgraded.”

Giguere said that even if or when a fix is available, vendors still need to incorporate the patches into their software and release new versions with a fix.

“This creates a second level of potential delay,” he said.  “Not only does protection against this rely on the authors fixing the defect at source quickly, it then relies on its incorporation into its next level usage and then again into websites and applications which in turn use that. This could create a significant window of opportunity for malicious actors to weaponize it.”

Ormandy stressed that for the meantime, users should disable PS, EPS, PDF and XPS coders by default as the only defense until a fix is available.

“I really *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default,” Ormandy wrote in the writeup of the flaw. “I think this is the number one ‘unexpected ghostscript’ vector… this should happen asap. IMHO, -dSAFER is a fragile security boundary at the moment, and executing untrusted postscript should be discouraged, at least by default.”