CVE-2023-36664: Artifex Ghostscript Permission Validation Flaw in Pipe Devices

In this post, we discuss a critical vulnerability in the popular open-source software Artifex Ghostscript, which has been assigned the identifier CVE-2023-36664. Ghostscript is a high-performance interpreter for Adobe's PostScript and Portable Document Format (PDF) page description languages. The vulnerability is present in versions of Ghostscript through 10.01.2 and exposes systems to potential exploitation through the mishandling of permission validation for pipe devices.

Vulnerability Details

Artifex Ghostscript versions through 10.01.2 contain a flaw in its permission validation mechanism for pipe devices that use the %pipe% prefix or the | (pipe) character prefix. This vulnerability could allow an attacker to bypass certain restrictions and execute commands with elevated privileges.

This vulnerability can lead to a variety of security issues, including arbitrary code execution, unauthorized access to sensitive information, and denial of service.

Exploit Details

To understand how this exploit works, let's first delve into how Ghostscript processes the pipe devices. When Ghostscript encounters a filename starting with %pipe% or |, it attempts to execute the given command, typically for sending data to a printer or another application.

The vulnerability occurs because, in some cases, Ghostscript does not properly validate the permissions for these pipe devices, allowing attackers to exploit this flaw and gain unauthorized access.

Here is a code snippet demonstrating how this vulnerability can be exploited

%!PS
% Ghostscript CVE-2023-36664
% Example exploit
(InputFile) (r) file dup /OutputFile (%pipe%cat - > /tmp/CVE-2023-36664-exploit) writestring closefile

In this example, the attacker has embedded a malicious command in the /OutputFile definition, which utilizes the %pipe% prefix. When the Ghostscript engine processes this file, it will attempt to execute the command cat - > /tmp/CVE-2023-36664-exploit, which copies the contents of the InputFile into a file with the name /tmp/CVE-2023-36664-exploit. This can potentially lead to arbitrary code execution on the victim's machine.

Original References

1. The vulnerability was reported to Artifex Ghostscript's mailing list, and the original discussion can be found here:
  https://bugs.ghostscript.com/show_bug.cgi?id=703928

The official CVE entry can be found here:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36664

Mitigation

Users of Artifex Ghostscript are strongly encouraged to update their software as soon as possible. The latest version can be downloaded from the Artifex Ghostscript website (https://www.ghostscript.com/download/gsdnld.html), where the developers have patched the vulnerability.

Conclusion

CVE-2023-36664 is a critical vulnerability in Artifex Ghostscript that could enable attackers to execute arbitrary code on affected systems. To protect against this threat, it is essential for users to update their software to the latest version and stay informed about any future security releases or patches.

Timeline

Published on: 06/25/2023 22:15:00 UTC
Last modified on: 08/02/2023 15:42:00 UTC