Ghostscript security research (write-up series)
Through pentest work at Codean Labs, I found that Ghostscript is unexpectedly part of many attack surfaces, even server-side: applications that process user-submitted documents or images may invoke ImageMagick or LibreOffice for conversion, which in turn may call into Ghostscript for (embedded) EPS images.
Hence, I went digging and found a bunch of memory corruption bugs, several logic bugs and a really fun format string bug. I was able to turn the latter into a nice privilege escalation exploit, bypassing Ghostscript’s SAFER flag and thereby being able to invoke system commands. This results in RCE on server-side document conversion flows, but also in desktop cases when opening malicious documents/images.
Read the write-ups on Codean Labs’ blog:
- Part 1: CVE-2024-29510 – Exploiting Ghostscript using format strings
- The one I’m most proud of: abusing an old-school format string bug (with no countermeasures as it’s custom to Ghostscript, not libc!) in some obscure logic to gain memory manipulation primitives, and using those to turn off
SAFER.
- The one I’m most proud of: abusing an old-school format string bug (with no countermeasures as it’s custom to Ghostscript, not libc!) in some obscure logic to gain memory manipulation primitives, and using those to turn off
- Part 2: CVE-2024-29511 – Abusing Ghostscript’s OCR device
- Chaining a few logic bugs to gain an arbitrary file read and a semi-arbitrary file write. This was a classic case of unintentionally exposed logic in a dependency which was never meant to be ran on attacker-controlled data.
- Part 3: Ghostscript wrap-up: overflowing buffers
- A collection of miscellaneous memory corruption issues.
Media coverage
Covered by various online news media, including: Security Week, Bleeping Computer, Heise, Linux Security, and The Register.