A critical vulnerability has been discovered in Artifex Ghostscript, an interpreter for the PostScript language and Portable Document Format (PDF) files, which could allow adversaries to execute arbitrary commands and perform path traversal. Ghostscript has become an industry standard for the processing of PDF files, and is implemented in many software applications.
This vulnerability, denoted CVE-2024-33869, affects all versions of Ghostscript prior to 10.03.1. The issue allows attackers to bypass restrictions on the use of command pipes ("%pipe%") and execute commands via a carefully crafted PostScript document. For example, the command "aa/../%pipe%command#" in the output filename would enable the execution of arbitrary commands.
Details
The root cause of the vulnerability lies within the base/gpmisc.c file in Artifex Ghostscript source code. When processing certain PostScript documents, the path reduction performed in this file can result in a traversal attack. Consequently, commands that should be restricted, such as the %pipe% command, may be subsequently executed.
Exploit Details
To exploit this vulnerability, an attacker would create a malicious PostScript document containing the payload for the command and path traversal they wish to execute. When a vulnerable version of Artifex Ghostscript processes this crafted document, the flaw will be triggered, leading to the execution of the attacker's desired command.
For example, an attacker could use the following code snippet in their malicious document
%!PS
currentdevice
null
(aa/../%pipe%echo "This is CVE-2024-33869") (w) file
.write
flushfile
This code snippet demonstrates the bypassing of the %pipe% restriction by executing the command "echo 'This is CVE-2024-33869'". When a vulnerable version of Ghostscript processes the document, "This is CVE-2024-33869" would be printed.
Links and Original References
1. Artifex Ghostscript Official Website
2. Ghostscript GitHub Repository
3. CVE-2024-33869 - Official CVE Details
4. Artifex Software Advisory
Remediation and Mitigation
The Artifex Ghostscript development team has released version 10.03.1, which contains a patch that addresses this vulnerability. It is advised to update all Ghostscript installations to the latest version as soon as possible. In addition, users should exercise caution when processing PostScript documents from unknown sources, as they may contain exploits for this vulnerability.
Conclusion
CVE-2024-33869 is a critical vulnerability that affects Artifex Ghostscript prior to version 10.03.1. Attackers can exploit this flaw by crafting a malicious PostScript document that includes a path traversal and command execution payload, allowing for arbitrary code execution. Users are advised to update their Ghostscript installations to the latest version and exercise caution when handling PostScript files from unfamiliar sources.
Timeline
Published on: 07/03/2024 19:15:03 UTC
Last modified on: 10/31/2024 18:35:11 UTC