Even when you haven’t heard of the venerable Ghostscript venture, you could very properly have used it with out figuring out.
Alternatively, you’ll have it baked right into a cloud service that you simply provide, or have it preinstalled and able to go when you use a package-based software program service equivalent to a BSD or Linux distro, Homebrew on a Mac, or Chocolatey on Home windows.
Ghostscript is a free and open-source implementation of Adobe’s widely-used PostScript doc composition system and its even-more-widely-used PDF file format, brief for Moveable Doc Format. (Internally, PDF recordsdata depend on PostScript code to outline compose a doc.)
For instance, the favored open-source graphics program Inkscape makes use of Ghostscript behind the scenes to import EPS (Embedded PostScript) vector graphics recordsdata, equivalent to you may obtain from a picture library or obtain from a design firm.
Loosely put, Ghostscript reads in PostScript (or EPS, or PDF) program code, which describes assemble the pages in a doc, and converts it, or renders it (to make use of the jargon phrase), right into a format extra appropriate for displaying or printing, equivalent to uncooked pixel knowledge or a PNG graphics file.
Sadly, till the newest launch of Ghostscript, now at model 10.01.2, the product had a bug, dubbed CVE-2023-36664, that might permit rogue paperwork not solely to create pages of textual content and graphics, but additionally to ship system instructions into the Ghostscript rednering engine and trick the software program into operating them.
Pipes and pipelines
The issue happened as a result of Ghostscript’s dealing with of filenames for output made it potential to ship the output into what’s recognized within the jargon as a pipe reasonably than an everyday file.
Pipes, as you’ll know when you’ve ever finished any programming or script writing, are system objects that faux to be recordsdata, in which you can write to them as you’d to disk, or learn knowledge in from them, utilizing common system capabilities equivalent to learn() and write() on Unix-type methods, or ReadFile() and WriteFile() on Home windows…
…however the knowledge doesn’t really find yourself on disk in any respect.
As an alternative, the “write” finish of a pipe merely shovels the output knowledge into a brief block of reminiscence, and the “learn” finish of it sucks in any knowledge that’s already sitting within the reminiscence pipeline, as if it had come from a everlasting file on disk.
That is super-useful for sending knowledge from one program to a different.
If you wish to take the output from program ONE.EXE and use it because the enter for TWO.EXE, you don’t want to avoid wasting the output to a brief file first, after which learn it again in utilizing the > and < characters for file redirection, like this:
C:Usersduck> ONE.EXE > TEMP.DAT C:Usersduck> TWO.EXE < TEMP.DAT
There are a number of hassles with this strategy, together with these:
- You need to await the primary command to complete and shut off the
TEMP.DATfile earlier than the second command can begin studying it in. - You can find yourself with an enormous intermediate file that eats up extra disk house than you need.
- You can get messed round if another person fiddles with short-term file between the primary program terminating and the second launching.
- You need to be sure that the short-term filename doesn’t conflict with an present file you wish to preserve.
- You’re left with a brief file to wash up later that might leak knowledge if it’s forgotten.
With a memory-based intermediate “pseudofile” within the type of a pipe, you possibly can condense this type of course of chain into:
C:Usersduck> ONE.EXE | TWO.EXE
You may see from this notation the place the names pipe and pipeline come from, and likewise why the vertical bar image (|) chosen to symbolize the pipeline (in each Unix and Home windows) is extra generally recognized within the IT world because the pipe character.
As a result of files-that-are-actually-pipes-at-the-operating-system-level are nearly at all times used for speaking between two processes, that magic pipe character is usually adopted not by a filename to put in writing into for later use, however by the title of a command that may devour the output straight away.
In different phrases, when you permit remotely-supplied content material to specify a filename for use for output, then you have to watch out when you permit that filename to have a particular type that claims, “Don’t write to a file; begin a pipeline as an alternative, utilizing the filename to specify a command to run.”
When options flip into bugs
Apparently, Ghostscript did have such a “characteristic”, whereby you might say you wished to ship output to a specially-formatted filename beginning with %pipe% or just |, thereby supplying you with an opportunity of sneakily launching a command of your alternative on the sufferer’s pc.
(We haven’t tried this, however we’re guessing which you can additionally add command-line choices in addition to a command title to execute, thus supplying you with even finer management over what kind of rogue behaviour to impress on the different finish.)
Asumingly, if that’s the proper phrase, the “generally patches want patches” downside popped up once more within the technique of fixing this bug.
In yesterday’s article a few WordPress plugin flaw, we described how the makers of the buggy plugin (Final Member) have lately and quickly gone by means of 4 patches making an attempt to squash a privilege escalation bug:
We’ve additionally lately written about file-sharing software program MOVEit pushing out three patches in fast succession to cope with a command injection vulnerability that first confirmed up as a zero-day within the fingers of ransomware crooks:
On this case, the Ghostscript group first added a examine like this, to detect the presence of the harmful textual content %pipe... in the beginning of a filename:
/* "%pipe%" don't observe the traditional guidelines for path definitions, so we
do not "scale back" them to keep away from sudden outcomes */
if (len > 5 && memcmp(path, "%pipe", 5) != 0) {
. . .
Then the programmers realised that their very own code would settle for a plain | character in addition to the prefix %pipe%, so the code was up to date to cope with each circumstances.
Right here, as an alternative of checking that the variable path doesn’t begin with %pipe... to detect that that the filename is “secure”, the code declares the filename unsafe if it begins with both a pipe character (|) or the dreaded textual content %pipe...:
/* "%pipe%" don't observe the traditional guidelines for path definitions, so we
do not "scale back" them to keep away from sudden outcomes */
if (path[0] == '|' || (len > 5 && memcmp(path, "%pipe", 5) == 0)) {
. . .
What to do?
- When you have a standalone Ghostcript package deal that’s managed by your Unix or Linux distro (or by an identical package deal supervisor such because the abovementioned Homebrew on macOS), be sure to’ve received the newest model.
- When you have software program that comes with a bundled model of Ghostscript, examine with the supplier for particulars on upgrading the Ghostscript element.
- In case you are a programmer, don’t settle for any immediately-obvious bugfix as the start and finish of your vulnerability-squashing work. Ask your self, because the Ghostscript group did, “The place else might an identical type of coding blunder have occurred, and what different methods may very well be used to set off the bug we already learn about.”
