CVE-2024-46956 - Out-of-Bounds Data Access in Ghostscript's filenameforall — Code Example, Exploit Details, and References

Artifex Ghostscript is a popular interpreter for the PostScript language and PDF. It’s widely used in print workflows, document viewers, and as a backend for other software. On May 6, 2024, a new vulnerability, CVE-2024-46956, was published. This security issue relates to how Ghostscript processes certain file names using the flawed filenameforall implementation in its source code, specifically in psi/zfile.c. The problem? A serious out-of-bounds data access that attackers could abuse to execute their own code.

In this post, I’ll break down the vulnerability in plain English, show example code, discuss real risk scenarios, and provide links to the most useful references.

What is CVE-2024-46956?

CVE-2024-46956 is about an out-of-bounds read and potential code execution flaw in Ghostscript versions older than 10.04.. It lets attackers execute code on a vulnerable machine by tricking Ghostscript into reading memory it shouldn’t, through crafted input to filenameforall. This function is reachable in common use cases when you process files with Ghostscript.

Where's the Flaw?

The vulnerability lies in this file: psi/zfile.c. Specifically, the implementation of the filenameforall operator (used to enumerate file names) fails to safely limit access to data. If an attacker provides a very long or otherwise specially crafted file pattern, memory past the intended buffer can be read or written, depending on system behavior.

Here’s a simplified excerpt based on the problematic logic. Let’s see what went wrong

// Pseudo-code simplified for clarity
int zfile_filenameforall(i_ctx_t *i_ctx_p)
{
    char pattern[PATH_MAX];
    int pattern_length;

    // ... code to fill pattern and length ...

    // Loop through possible file names
    for (int i = ; i <= pattern_length; i++) {   // <= instead of <, fatal bug!
        // Access pattern[i] without checking bounds
        if (pattern[i] == '*') {
            // do something
        }
    }
    // ...
}

Due to a logic error (for example, using <= instead of <), the function accessing file name patterns can read or write past the buffer. Ghostscript developers have patched this in 10.04. by making sure the code only accesses valid memory within the buffer.

How Could This Be Exploited?

1. An attacker creates a malicious PostScript or PDF file that uses filenameforall with a specially crafted file name pattern.
2. This pattern—by being too long or including odd characters—causes Ghostscript to read or write past the end of the buffer.
3. The attacker submits this file to any service using vulnerable Ghostscript (print services, document previewers, web applications, server-side PDF renderers, etc).
4. If the attack works, the attacker could crash the service or, in certain cases, execute arbitrary code, allowing access to the server or escalation of privileges.

This is especially critical for shared hosting, print servers, and web applications. Ghostscript is commonly used as a backend to process untrusted documents.

Example Exploit Scenario

Suppose an online print shop uses Ghostscript to make PDF previews. An attacker uploads a PDF or PostScript file like this:

(%pipe%malicious_code) (w) file
(%3f*) { ... } filenameforall

The attack here is to supply a weird pattern to filenameforall. A sufficiently evil crafted pattern can mess with the buffer and, if lucky, redirect execution.

On unpatched Ghostscript, this might crash the program — or, in a real exploit, run the attacker’s shell command, like starting a reverse shell.

Yes. Upgrade Ghostscript to 10.04. or later.

Git commit fixing the bug: Ghostscript Commit b07e9f087d

Official References

- CVE-2024-46956 on NVD
- Ghostscript Bugzilla Issue #706306
- Upstream commit with fix
- Ghostscript Security Advisories

Conclusion

CVE-2024-46956 is a severe out-of-bounds code execution vulnerability in Ghostscript’s handling of certain file name patterns. Untrusted files can trigger the bug, leading to a crash or even complete system compromise. Patch right away by upgrading Ghostscript to version 10.04. or newer.

Stay safe: never expose Ghostscript to untrusted file inputs on old versions.


Let me know if you have questions or need help checking your Ghostscript deployment!

Timeline

Published on: 11/10/2024 22:15:12 UTC
Last modified on: 11/14/2024 20:39:54 UTC