mailing list archives
GhostScript Vulnerability Clarification - CVE-2010-1869
From: Rodrigo Branco <rbranco () checkpoint com>
Date: Mon, 17 May 2010 06:10:11 -0700
I'm writing on behalf of the Check Point Vulnerability Discovery Team to clarify this issue. Here is our advisory and
the specific timeline:
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
GhostScript 8.70 and lower stack overflow
Ghostscript is an interpreter for the PostScript language and the Portable Document Format (PDF).
There exists a vulnerability within the parser function that when properly exploited can lead to remote comprimise of
the vulnerable system, both thru client-side exploitation (using applications like Imagemagick) or server-side
exploitation (using cups printer daemon). For both cases
there is a working exploit to be shared with interested parts.
This vulnerability was confirmed in the following GhostScript versions:
A remote attacker could entice a user to open a specially crafted PostScript file (client-side exploitation scenario)
or just print the file (server-sie exploitation scenario), possibly resulting in the execution of arbitrary code with
the privileges of the user running the application or the printer daemon.
Different Unix vendors and Linux distributions are vulnerable to that due to the usage of the vulnerable GhostScript
The following test was made on a PCBSD 8.0 default install. There is a working exploit for the vulnerability to test
the exploitability in different systems. Propolice protection mitigates this vulnerability.
$ gs --version
$ gdb gs
(gdb) r crash.ps
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 29201140 (LWP 100125)]
0x2897774e in memcpy () from /lib/libc.so.7
#0 0x2897774e in memcpy () from /lib/libc.so.7
#1 0x28178cb4 in scan_token () from /usr/local/lib/libgs.so.8
#2 0x41414141 in ?? ()
(gdb) x/i $pc
0x2897774e <memcpy+30>: repz movsl %ds:(%esi),%es:(%edi)
(gdb) i r $esi $edi
esi 0xbfbfd118 -1077948136
edi 0x414142d9 1094795993
We can use the Cupsd to trigger the vulnerability in the gs process.
$ lp -d hpdskjet crash.pdf
$ grep crashed /var/log/cups/error_log
D [08/Mar/2010:18:01:10 -0500] [Job 11] PID 33428 (gs) crashed on signal 11!
Upgrade to GhostScript version 8.71.
14/Jan - Vulnerability discovered
February and March - Communications with the Vendor (Artifex)
28/Mar - First request for a CVE entry
12/Apr - Communication with RedHat and other vendors (Ubuntu, FreeBSD and others)
10/May - CVE assigned (CVE-2010-1869)
11/May - Check Point issued an IPS update to protect its customers
12/May - After seen the Check Point advisory, Dan Rosenberg published the issue to the mailing lists
12/May - Clarified with Dan that the vulnerabilities are the same.
This vulnerability was discovered and exploited by Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team
Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- GhostScript Vulnerability Clarification - CVE-2010-1869 Rodrigo Branco (May 18)