Security news that informs and inspires

Set of Serious Bugs Haunts Ghostscript

There’s a set of vulnerabilities in a widely implemented interpreter for PDFs and the PostScript language that attackers can use to steal files and other data from vulnerable servers. Several Linux distributions, including Ubuntu and Red Hat, are known to be vulnerable to the bugs, and there isn’t a common fix available for the flaws at the moment.

The bugs have been lurking for several years at least, but a Google security researcher this week posted details of some of them, bringing the issues back to light. The problems lie in the way that the Ghostscript interpreter handles some special files when a specific option is enabled. The -dSAFER option in the interpreter is designed to stop PostScript operations that aren’t safe, but Tavis Ormandy of Google’s Project Zero has discovered several methods for bypassing the option’s protection to run arbitrary code on a target system.

Along with the Linux distributions, a number of PDF viewers and readers, such as ImageMagick, are known to be vulnerable to these flaws. Ormandy said he is planning to report a number of other related bugs in the coming days.

“In the meantime, I really strongly suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default. I think this is the number one ‘unexpected ghostscript’ vector, imho this should happen asap. IMHO, -dSAFER is a fragile security boundary at the moment, and executing untrusted postscript should be discouraged, at least by default,” Ormandy wrote in an advisory on the issues.

Nearly two years ago, Ormandy posted information to a mailing list detailing some related vulnerabilities in Ghostscript and there have been other weaknesses found in the interpreter, too. Exploiting the vulnerability would only require an attacker to be able to send input to a vulnerable implementation of Ghostscript on a target server.

“By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code,” the CERT/CC at Carnegie Mellon University said in a note on the vulnerability.

Though there is no patch available at the moment, both Ormandy and the CERT/CC recommend that maintainers of vulnerable distributions or interpreters take action to prevent exploitation by disabling specific coders.

“I strongly suggest that distributions start disabling PS, EPS, PDF and XPS coders in policy.xml by default,” Ormandy said.