Ghostscript, an open-source interpreter for the widely used PostScript language and PDF files on Linux, was found to be vulnerable to a critical-severity remote code execution flaw.
The flaw is tracked as CVE-2023-3664having a CVSS v3 rating of 9.8, and impacts all versions of Ghostscript prior to 10.01.2, which is the latest available version released three weeks ago.
According Kroll analystsG. Glass and D. Truman, who developed a proof-of-concept (PoC) exploit for the vulnerability, code execution can be triggered when a specially crafted malicious file is opened.
Considering that Ghostscript is installed by default in many Linux distributions and used by software such as LibreOffice, GIMP, Inkscape, Scribus, ImageMagick and the CUPS printing system, the opportunities for triggering CVE-2023-3664 are abundant in most cases.
Kroll also comments that the problem also affects open source applications on Windows, if these use a port of Ghostscript.
The Ghostscript Flaw
The CVE-2023-3664 flaw is related to operating system pipes, which allow different applications to exchange data by passing the outputs of one as inputs to another.
The problem stems from the “gp_file_name_reduce()” function in Ghostscript, which seems to take multiple paths and combine them and simplify them by removing relative path references for efficiency.
However, if a specially crafted path is given to the vulnerable function, it could return unexpected results, leading to overriding validation mechanisms and potential exploitation.
Also, when Ghostscript tries to open a file, it uses another function called “gp_validate_path” to check if its location is safe.
However, since the vulnerable function modifies the location details before this second function checks, it is trivial for an attacker to exploit the flaw and force Ghostscript to process files in locations that should be prohibited.
Kroll analysts have created a PoC that is triggered by opening an Embedded Postscript (EPS) file on any application using Ghostscript.
In the following demo video, the researchers demonstrate the exploit in Inkscape on Windows, performing actions such as opening the calculator or displaying dialog boxes to the user.
It is recommended that Linux users upgrade to the latest version of Ghostscript, 10.01.2, using their distribution’s package manager.
Unfortunately, open source software on Windows that uses ports of Ghostscript will naturally take longer to upgrade to the latest version of the tool. Therefore, extra caution is recommended with Windows installations.
To help detect CVE-2023-3664, Kroll shared the Sigma rules on this GitHub repository.