Ghostscript, a popular open-source interpreter for PostScript language and widely used PDF files in Linux, has been found to have a severe remote code execution flaw. This flaw, identified as CVE-2023-3664, carries a CVSS v3 rating of 9.8 and affects all versions of Ghostscript prior to the latest version, 10.01.2, which was released just three weeks prior.
Kroll's analysts, G. Glass and D. Truman, developed a proof of concept (PoC) exploit for this vulnerability. They found that the execution of code could be initiated by opening a malicious file that has been specifically designed for this purpose. Given that Ghostscript is a default installation in numerous Linux distributions and is used by software such as LibreOffice, GIMP, Inkscape, Scribus, ImageMagick, and the CUPS printing system, the potential for triggering CVE-2023-3664 is quite extensive. Kroll further noted that this issue also affects open-source applications on Windows, provided they use a port of Ghostscript.
The vulnerability in question, CVE-2023-3664, is related to OS pipes, which are used for data exchange between different applications. The issue lies in the 'gp_file_name_reduce()' function in Ghostscript, which simplifies and combines multiple paths by removing relative path references for efficiency. However, if a specially crafted path is fed into this vulnerable function, it could produce unexpected results, overriding validation mechanisms and leading to potential exploitation.
Furthermore, when Ghostscript tries to open a file, it uses another function, 'gp_validate_path', to verify the location's safety. However, since the vulnerable function alters the location details before the second function's check, an attacker can easily exploit this loophole and force Ghostscript to work with files in locations that should be off-limits.
The analysts at Kroll created a PoC that is triggered by opening an EPS (Embedded Postscript) file on any application that uses Ghostscript. In a demonstration video, the researchers showcased the exploit in Inkscape on Windows, performing actions such as opening the calculator or displaying dialogs to the user.
It is advised that Linux users update to the latest version of Ghostscript, 10.01.2, using their distribution's package manager. If the latest Ghostscript version is not yet available on your distribution's software channels, you should compile it from the source code. For open-source software on Windows that use ports of Ghostscript, the process of moving to the latest version may take longer, thus extra caution is advised for Windows installations.
To aid in detecting CVE-2023-3664, Kroll has shared Sigma rules on this GitHub repository.