A proof-of-concept (PoC) exploit code for a recently revealed severe security vulnerability in Ghostscript, an open-source PDF library, is now accessible. The vulnerability, tagged as CVE-2023-36664, is a remote code execution flaw with a high severity score of 9.6. It allows a remote attacker to execute malicious operations using a specially crafted file. The defense mechanisms against this exploit are inadequate, raising alarm due to Ghostscript's extensive use across numerous Linux distributions and software, including LibreOffice, GIMP, Inkscape, Scribus, ImageMagick, and the CUPS printing system.
The vulnerability, CVE-2023-36664, is primarily associated with operating system pipes, which facilitate data exchange between different applications. It originates from a specific function in Ghostscript, 'gp_file_name_reduce()', a component that amalgamates multiple paths and simplifies them by eliminating relative path references. If a specifically designed path is fed to this vulnerable function, it overrides the validation mechanisms and paves the way for potential exploitation.
Further compounding the issue, Ghostscript's method of opening a file involves another function, 'gp_validate_path', to verify the safety of the location. However, the vulnerable function alters the location details before this safety check, enabling an attacker to exploit the loophole and force Ghostscript to interact with files in locations that should be off-limits.
The PoC exploit for CVE-2023-36664 was developed by Ákos Jakab. It is triggered by opening a PS (PostScript) or EPS (Embedded Postscript) file on any application that uses Ghostscript. Users of Ghostscript are urged to update to the latest version, 10.01.2, which addresses the vulnerability. Ghostscript can be updated using the package manager of your distribution. If the latest version is not available in your distribution's software repositories, it can be compiled from the source, with instructions available on the Ghostscript website.
In addition to updating Ghostscript, users can protect themselves from this vulnerability by exercising caution when opening files from unfamiliar sources. If the safety of a file is uncertain, it is recommended to avoid opening it.