A vulnerability was found in Ghostscript that could allow code execution

Few ago days they released the news of what was identified a vulnerability in Ghostscript (CVE-2020-15900) what could cause file modification and arbitrary command execution when opening specially formatted PostScript documents.

For those who are unfamiliar with Ghostscript should know that this is a rendering engine for Postscript and PDF content and it is commonly used to convert PDF and Postscript documents into images for preview, thumbnail and printing purposes.

It is also used for full-quality document reproduction for many PDF viewers, including popular viewers on Android, and is licensed by several large companies such as Google for rendering in the cloud.

About the vulnerability in Ghostscript

The bug was identified in the use of the rsearch operator Non-standard PostScript in a document that allows to cause an overflow of type uint32_t when calculating the size, overwrite memory areas out of buffer assigned and gain access to files on the filesystem, which can be used to stage an attack to execute arbitrary code on the system (for example, by adding commands to ~ / .bashrc or ~ / .profile).

The snippet found by AFL pushed an empty string onto the stack: the empty brackets (), copied the reference to this, resulting in a stack with two empty strings () () and then did the reverse lookup. In other words, it was looking for an empty string in an empty string, starting from the end.

Unfortunately they missed a borderline case where the empty string is searched. When searching for an empty string, this is defined as immediate success - there is nothing to search for, so we jump right to the end. However, the result must be divided into the pre-match, match, and post-match values. Unfortunately, the code assumed that we had looked at least once and calculated the length of the post-match result incorrectly by subtracting one from zero, resulting in a return to the maximum value: 4,294,967,295.

This error it is a memory corruption defect where there is a possibility of failure and it happens all the time. No need to deal with stack guards etc., just read and write whatever you want to a massive memory segment. This made it quite easy for someone who is not an experienced exploit writer to exploit it.

Due to this underflow, this string had never been allocated and did not take up real space, but it had a length that extended to another memory. Trying to read or write that memory in random addresses would go out of memory limits, hence all the faults in fuzzing. However, we could store the reference to allow its use using this code snippet:

It is important to take into account that vulnerabilities in Ghostscript are more seriousas this package is used in many popular PostScript and PDF processing applications. For example, Ghostscript is called when creating thumbnails on the desktop, when indexing data in the background, and when converting images.

For a successful attack, in many cases, it is sufficient to simply download the exploit file or browse the directory with it in Nautilus.

Vulnerabilities in Ghostscript can also be exploited through image drivers based on the ImageMagick and GraphicsMagick packages, passing a JPEG or PNG file, which contains PostScript code instead of an image (this file will be processed in Ghostscript, since the MIME type is recognized by the content, and without depending on the extension).

Solution

The issue affects versions 9.50 to 9.52 (The bug has been around since version 9.28rc1, but according to the researchers who identified the vulnerability, it appeared since version 9.50).

But a fix was already proposed in version 9.52.1 in addition to that andupdates have been published of patch packages for some Linux distributions such as Debian, Ubuntu and SUSE.

Whereas packages in RHEL are not affected.

Source: https://insomniasec.com


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.