Pierluigi Paganini
July 08, 2024
Threat actors are actively exploiting a Ghostscript vulnerability, tracked as CVE-2024-29510, that can allow them to escape the –dSAFER sandbox and achieve remote code execution.
Ghostscript is an interpreter for the PostScript language and for PDF files. It is used primarily for processing and rendering documents in these formats.
Researchers at Codean Labs discovered six vulnerabilities (CVE-2024-29510, CVE-2024-29509, CVE-2024-29506, CVE-2024-29507, CVE-2024-29508, CVE-2024-29511) that were addressed with versions 10.03.0 and 10.03.1.
The flaw CVE-2024-29510 is a format string vulnerability that impacts Ghostscript versions ≤ 10.03.0.
The vulnerability has an important impact on web applications and services using Ghostscript for document conversion and previews.
The experts focused the “uniprint” (aka “universal printer device”) device in Ghostscript that allows to generate command data for various brands and models of printers through configuration parameters. Ghostscript includes a set of .upp files, which are essentially Ghostscript command lines with pre-filled parameters tailored for specific printers, such as cdj550.upp. Upon manipulating these settings, uniprint can adapt to different printing needs.
Unfortunately, this versatility can be exploited by threat actors. The uniprint device allows users to control the format string and access device output by setting it to a temporary file. An attacker can trigger the issue to leak data from the stack and cause memory corruption.
Codean researchers published a proof-of-concept (PoC) exploit code to bypass the Ghostscript’s -dSAFER sandbox and execute shell commands on the system. The researchers pointed out that an attacker can trigger the vulnerability using bot images and documents.
Codean recommends updating the user installation of Ghostscript to v10.03.1.
“If your distribution does not provide the latest Ghostscript version, it might still have released a patch version containing a fix for this vulnerability (e.g., Debian, Ubuntu, Fedora).” wrote the experts.
“If you’re unsure if you’re affected, we provide a testkit: a small Postscript file which will tell you if your version of Ghostscript is affected. Download it here, and run it like this:
ghostscript -q -dNODISPLAY -dBATCH CVE-2024-29510_testkit.ps
The developer Bill Mill said he had already observed the flaw exploited in the wild, and warns of an increase of attacks exploiting this vulnerability.
“I had to remediate an attack in the wild already, so this is not just a theoretical issue. Patch your stuff” Mill wrote on Mastodon.
“If you have ghostscript *anywhere* in your production services, you are probably vulnerable to a shockingly trivial remote shell execution, and you should upgrade it or remove it from your production systems.” the developer added. “One thing to note is that imagemagick will automatically forward postscript files to ghostscript, so if you are using imagemagick anywhere you are probably vulnerable. (If you are using javascript libraries to process images, you probably are!)”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ghostscript)
