CVE-2018-16509

Vulnerability

An issue was discovered in Artifex Ghostscript before version 9.24 [1][2][3]. The bug lies in incorrect restoration of privilege checking during handling of /invalidaccess exceptions. When a specially crafted PostScript file triggers such an exception, the privilege checks that normally restrict the pipe instruction are bypassed. This allows an attacker to execute arbitrary system commands via the pipe operator in the PostScript language [1][2][3][4]. The vulnerability affects Ghostscript versions prior to 9.24 [1][2][3].

Exploitation

An attacker can exploit this vulnerability by providing a crafted PostScript (.ps) file to a system or service that processes such files using a vulnerable version of Ghostscript [3]. No authentication is required, and the attack can be triggered remotely if the victim opens the file with Ghostscript or through an application that uses Ghostscript (e.g., document conversion or preview services) [3][4]. The crafted file contains PostScript code that triggers an /invalidaccess exception, causing the privilege restoration to fail and allowing the pipe instruction to execute with elevated privileges, leading to arbitrary command execution [4]. The exploit does not require any special user interaction beyond opening the file [4].

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands in the context of the Ghostscript process [1][2][3][4]. This leads to a complete compromise of confidentiality, integrity, and availability of the affected system. An attacker could read sensitive files, modify data, install malware, or cause denial of service. The impact is particularly severe for servers that automatically process uploaded PostScript files or share documents [3].

Mitigation

The vulnerability is fixed in Ghostscript version 9.24 [1][2][3]. Red Hat Enterprise Linux 7 users should update to ghostscript-9.07-29.el7_5.2 [1]. Ubuntu users should update to ghostscript 9.22~dfsg+1-0ubuntu1.2 (for 18.04 LTS) or later as per the Ubuntu Security Notice USN-3768-1 [3]. There is no known workaround other than applying the patch. Administrators should ensure they are running a patched version and limit processing of untrusted PostScript files until patching is possible [3].