The popular Google Project Zero white hat hacker Tavis Ormandy has found a critical remote code execution (RCE) vulnerability in Ghostscript.
Ghostscript is an open source suite of software based on an interpreter for Adobe Systems’ PostScriptand Portable Document Format (PDF) page description languages.
Ghostscript is a multiplatform software written in C language, it allows to convert PostScript language files (or EPS) to several raster formats (i.e. PDF, XPS, PCL or PXL).
Many PDF and image editing software such as GIMP and ImageMagick leverage the library to convert file formats.
Ghostscript implements a -dSAFER sandbox protection option that handles untrusted documents, it aims at preventing malicious PostScript operations from being executed.
A couple of years ago, Ormandy disclosed several -dSAFER sandbox escapes in the popular library, at the time he found a few file disclosure, shell command execution, memory corruption and type confusion bugs.
Now Ormandy discovered that the library contains multiple -dSAFER sandbox bypass flaws that could be exploited by a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
A remote attacker can trigger the flaw by sending a specially crafted malicious file (i.e. PDF, PS, EPS, or XPS) to the victim. Once the victim has opened the file with an application using vulnerable software, the attacker will be able to execute arbitrary code of the system and to take over it.
Artifex Software, the company that maintains the open source software still hasn’t released any security update to address the vulnerability.
The US-CERT published a security advisory to warn that applications using the Ghostscript library by default to process PostScript content are vulnerable.
“Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.” reads the security advisory.
“By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code.”
Both RedHat and Ubuntu distros have confirmed that they are affected by this vulnerability.
Ormandy recommends Linux distros to disable the processing of PS, EPS, PDF, and XPS content until the vulnerability is fixed.
“I *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default,” suggested Ormandy.