CVE-2020-15900

A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The ‘rsearch’ calculation for the ‘post’ size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b.

Recent assessments:

zeroSteiner at January 05, 2021 8:03pm UTC reported:

From NVD:

> A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The ‘rsearch’ calculation for the ‘post’ size resulted in a size that was too large, and could underflow to max uint32_t.

GhostScript is a pretty popular engine for Postscript and PDF documents. A critical feature of this is the sandbox which makes it safe to view documents received from untrusted sources. Escaping from the sandbox would all a malicious user to leverage dangerous functions that are builtin that can allow arbitrary file reading and writing along with OS command execution in certain environments.

The sandbox escape can be performed by leveraging the underflow to access memory outside the permissible boundary. By reading key locations, a specially crafted malicious document could corrupt the flag that controls the sandbox.

A weaponized version of this exploit would likely need to tell if it’s on Windows or LInux, which may be able to be determined at runtime by performing a file read and handling failures using well known file paths as the target.

See: <https://insomniasec.com/blog/ghostscript-cve-2020-15900&gt;

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 4