Ghostscript, an open-source interpreter for PostScript language and PDF recordsdata extensively utilized in Linux, has been discovered weak to a critical-severity distant code execution flaw.
The flaw is tracked as CVE-2023-3664, having a CVSS v3 score of 9.8, and impacts all variations of Ghostscript earlier than 10.01.2, which is the newest out there model launched three weeks in the past.
In accordance with Kroll’s analysts, G. Glass and D. Truman, who developed a proof of idea (PoC) exploit for the vulnerability, code execution may be triggered upon opening a malicious, specially-crafted file.
Contemplating that Ghostscript is put in by default in quite a few Linux distributions and utilized by software program comparable to LibreOffice, GIMP, Inkscape, Scribus, ImageMagick, and the CUPS printing system, alternatives to set off CVE-2023-3664 are plentiful usually.
Kroll additionally feedback that the issue impacts open-source apps on Home windows, too, if these use a port of Ghostscript.
The Ghostscript flaw
The CVE-2023-3664 flaw is expounded to OS pipes, which permit completely different functions to alternate knowledge by passing outputs from one as inputs to a different.
The difficulty arises from the “gp_file_name_reduce()” perform in Ghostscript, which seems to take a number of paths and combines and simplifies them by eradicating relative path references for effectivity.
Nevertheless, if a specifically crafted path is given to the weak perform, it might return sudden outcomes, resulting in overriding the validation mechanisms and potential exploitation.
Moreover, when Ghostscript makes an attempt to open a file, it makes use of one other perform known as “gp_validate_path” to examine if its location is secure.
Nevertheless, because the weak perform modifications the situation particulars earlier than that second perform’s examine, it is trivial for an attacker to take advantage of the loophole and drive Ghostscript to cope with recordsdata in places that ought to be off-limits.
Kroll’s analysts created a PoC that’s triggered by opening an EPS (Embedded Postscript) file on any software utilizing Ghostscript.
Within the following demonstration video, the researchers showcase the exploit in Inkscape on Home windows, performing actions comparable to opening the calculator or displaying dialogs to the consumer.
It is suggested that Linux customers improve to the newest model of Ghostscript, 10.01.2, utilizing their distribution’s package deal supervisor.
If the newest Ghostscript has not been made out there but in your distribution’s software program channels, it is strongly recommended to compile it from the supply code.
Sadly, open-source software program on Home windows that use ports of Ghostscript will naturally require extra time to maneuver to the newest model of the software. Therefore additional warning is suggested with installs in Home windows.
To assist detect CVE-2023-3664, Kroll has shared Sigma guidelines on this GitHub repository.
