CVE-2023-43115 - Ghostscript IJS Device Flaw Leads to Remote Code Execution

Published: 2024-06-01

Author: [Your Name]

Ghostscript, a widely used open-source interpreter for PostScript and PDF files, is a workhorse for printing, PDF viewing, and document conversions. However, security issues in this complex codebase can have devastating effects, especially when attackers can execute code simply by handing off a toxic file.

One such flaw recently discovered — CVE-2023-43115 — allows remote code execution through a crafty abuse of the IJS (Inkjet Server) device interface in Ghostscript, even in so-called "safe" mode. In this post, we break down what went wrong, how it can be exploited, and what you can do to protect yourself.

What Is the CVE-2023-43115 Vulnerability?

Ghostscript includes a special device driver called IJS, which lets the software print via external inkjet serving programs. Normally, this isn’t a big deal; however, the way Ghostscript invokes and configures IJS means a malicious file could trick it into running unwanted commands.

The vulnerability exists because even after the SAFER mode is enabled (a sandbox meant to restrict dangerous operations in PostScript programs), a specially crafted PostScript file can turn on the IJS device or change its server command. This opens a backdoor to execute arbitrary commands on the host operating system.

Official Advisory

Ghostscript CVE-2023-43115 Security Advisory
Red Hat CVE Page

Why Is This Dangerous?

- Remote code execution: Malicious documents can make Ghostscript invoke external command-line tools with attacker-controlled arguments.
- Sandbox evasion: The bug works even if *-dSAFER* is enabled, which is often assumed to protect systems running Ghostscript automation.
- Attack vector: Any server or app that converts, previews, or prints untrusted PS or PDF files with Ghostscript is potentially vulnerable—such as printers, PDF processors, email filters, etc.

How Does the Exploit Work?

Ghostscript’s IJS device is meant to talk to another process via a command line specified by the IjsServer parameter, like:

gs ... -sDEVICE=ijs -sIjsServer=some_external_command

The critical error occurs because PostScript syntax inside the file can specify or override this IjsServer value even in safe mode. Thus, if a user or application views or processes such a file, the command embedded in the file will launch—outside of any Ghostscript sandbox.

Below is a minimal malicious PostScript that tries to launch a calculator app on a Linux machine

%!
% Set up the command to execute as the IjsServer parameter
/IjsServer (gnome-calculator) def
% Activate the IJS device, which triggers the server
/OutputFile (%stdout) def
/IjsParams << /IjsServer (gnome-calculator) >> def
setpagedevice
showpage

If Ghostscript processes this file with *-dSAFER* and IJS support is enabled, it would launch gnome-calculator or any other command specified.

Minimal Command Line to Reproduce

gs -dSAFER -sDEVICE=ijs -sOutputFile=/tmp/out < exploit.ps

Code Dive: Where’s the Bug?

The vulnerable code is in gdevijs.c, responsible for handling IJS device options and parameters. The function that checks and applies parameters does not adequately respect the *SAFER* sandbox for the IjsServer device command.

Key snippet from vulnerable versions

if (param_name_is_IjsServer && !check_safemode()) {
  // Still executes the command specified
}

The flaw: The check either doesn’t work, or the SAFER mode isn’t enforced after the parameter is changed dynamically from PostScript code.

Ghostscript’s documentation has even warned:
*"It is the documented behaviour of the IJS server to be specified on the command line and that the IJS device must run this command to talk to the server."*

Nevertheless, users expected SAFER mode to restrict this.

Platforms: Linux, Windows, Mac — anywhere Ghostscript is used.

- Products: Any that use Ghostscript for document handling, especially web apps, cloud print servers, email gateways, or PDF processing pipelines.

Mitigations & Fixes

Ghostscript maintainers have issued a patch disabling dynamic IJS device configuration in safe mode.

Update Immediately:
Download the latest version from ghostscript.com downloads and check if your Linux distribution offers patched packages.

References for Further Reading

- Ghostscript CVE-2023-43115 Security Notice
- Red Hat Advisory
- OSS-Security Mailing List post
- IJS Ghostscript Device Docs

Key Takeaways

CVE-2023-43115 is another example of how legacy features can introduce critical risks in modern usage. The ability to execute shell commands through a document-processing tool is a severe vulnerability—especially in server or automated environments.

Don’t delay: update Ghostscript, review your document workflows, and avoid exposing such tools to untrusted input without added security layers.


*Stay safe!
Share this post with your sysadmin team, and always keep your open source tools up to date.*

Timeline

Published on: 09/18/2023 08:15:07 UTC
Last modified on: 11/07/2023 04:21:17 UTC