Ghostscript, an open-source interpreter for PostScript language and PDF files widely used in Linux, has been found vulnerable to a critical-severity remote code execution flaw.
The flaw is tracked as CVE-2023-3664, having a CVSS v3 rating of 9.8, and impacts all versions of Ghostscript before 10.01.2, which is the latest available version released three weeks ago.
According to Kroll’s analysts, G. Glass and D. Truman, who developed a proof of concept (PoC) exploit for the vulnerability, code execution can be triggered upon opening a malicious, specially-crafted file.
Considering that Ghostscript is installed by default in numerous Linux distributions and used by software such as LibreOffice, GIMP, Inkscape, Scribus, ImageMagick, and the CUPS printing system, opportunities to trigger CVE-2023-3664 are abundant in most cases.
Kroll also comments that the problem affects open-source apps on Windows, too, if those use a port of Ghostscript.
The Ghostscript flaw
The CVE-2023-3664 flaw is related to OS pipes, which allow different applications to exchange data by passing outputs from one as inputs to another.
The issue arises from the “gp_file_name_reduce()” function in Ghostscript, which appears to take multiple paths and combines and simplifies them by removing relative path references for efficiency.
However, if a specially crafted path is given to the vulnerable function, it could return unexpected results, leading to overriding the validation mechanisms and potential exploitation.
Additionally, when Ghostscript attempts to open a file, it uses another function called “gp_validate_path” to check if its location is safe.
However, since the vulnerable function changes the location details before that second function’s check, it’s trivial for an attacker to exploit the loophole and force Ghostscript to deal with files in locations that should be off-limits.
Kroll’s analysts created a PoC that is triggered by opening an EPS (Embedded Postscript) file on any application using Ghostscript.
In the following demonstration video, the researchers showcase the exploit in Inkscape on Windows, performing actions such as opening the calculator or displaying dialogs to the user.
It is recommended that Linux users upgrade to the latest version of Ghostscript, 10.01.2, using their distribution’s package manager.
If the latest Ghostscript has not been made available yet on your distribution’s software channels, it is recommended to compile it from the source code.
Unfortunately, open-source software on Windows that use ports of Ghostscript will naturally require more time to move to the latest version of the tool. Hence extra caution is advised with installs in Windows.
To help detect CVE-2023-3664, Kroll has shared Sigma rules on this GitHub repository.