Unpatched Remote Code Execution in Ghostscript Revealed by Google

Ghostscript, a mainstream raster image processor and back-end raster image converter for PDF has been discovered of harboring a critical vulnerability, a zero-day remote code execution flaw. Ghostscript is an open standard, almost all image applications dealing with raster graphics bundle it by default. “I found a few file disclosure, shell command execution, memory corruption and type confusion bugs. There was also one that was found exploited in the wild <http://ghostbutt.com/>. There was also a similar widely exploited issue <https://imagetragick.com/> that could be exploited identically.” said Tavis Ormandy, Google Project Zero researcher.

The attacker needs to craft a malformed PDF, EPS or XPS file, once executed by the user, the embedded malicious code in the file will trigger the vulnerability. The exploit can be chained with a malware attack in order to magnify the damage. The Ghostscript interpreter for all platforms supported needs to be patched in order to prevent the execution of the malformed PDF/EPS/XPS file. The attack can also be mitigated by isolating the execution of the Ghostscript raster engine in a virtual machine, quarantine the possible damage inside a hypervisor environment only.

“These bugs were found manually, I also wrote a fuzzer and I’m working on minimizing a very large number of testcases that I’m planning to report over the next few days. I will just file those issues upstream and not post each individual one here, you can monitor https://bugs.ghostscript.com/ if you want to.  I expect there to be several dozen unique bugs,” added Ormandy.

The attacker may now use any application on the machine for his purpose. Artifex, the developer, and maintainer of Ghostscript has yet to issue an emergency patch to fix the issue.

All mainstream operating systems are affected, as Windows ships with built-in XPS and PDF interpreters, while Unix, Linux, and MacOS bundle Ghostscript-compatible interpreters to render raster graphics. Cert.org has published an official list of affected software and platforms.

This is the 3rd time when Ormandy revealed a security problem with Ghostscript, he also did the same two years ago and on April 2017.

Ghostscript being adapted to almost all known platforms and operating system, exploit kits are sold on the black market to take advantage of its vulnerability. Soon enough, the remote code execution exploits discovered by Ormandy will be part of well-known exploit kits for years to come. On a normal patching process not all users and companies install updates that fix both known and zero-day vulnerabilities.

“I really *strongly* suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default. I think this is the number one “unexpected Ghostscript” vector, imho this should happen asap. IMHO, -dSAFER is a fragile security boundary at the moment, and executing untrusted postscript should be discouraged, at least by default,” Ormandy concluded.