A critical vulnerability (CVE-2021-3781) has been identified in Ghostscript, a suite of tools for processing, converting, and generating PostScript and PDF documents, that could allow arbitrary code execution when processing a specially crafted file. Initially, Emil Lerner drew attention to the existence of the problem, who spoke about the vulnerability on August 25 at the ZeroNights X conference held in St. and Yandex.Realty).
On September 5, a working exploit appeared in the public domain that allows attacking systems running Ubuntu 20.04 by passing a specially designed document loaded under the guise of an image to a web script running on the server using the php-imagemagick package. At the same time, according to preliminary data, such an exploit has been in use since March. It was claimed that systems with GhostScript 9.50 could be attacked, but it turned out that the vulnerability manifests itself in all subsequent versions of GhostScript, including the 9.55 release of Git, which is in development.
The fix was proposed on September 8 and, after review, was accepted into the GhostScript repository on September 9. In many distributions, the problem is still not fixed (the status of the publication of updates can be viewed on the pages of Debian, Ubuntu, Fedora, SUSE, RHEL, Arch Linux, FreeBSD, NetBSD). The release of GhostScript with the elimination of the vulnerability is planned to be published before the end of the month.
The problem is caused by the ability to bypass the "-dSAFER" isolation mode due to insufficient checking of the parameters of the "%pipe%" Postscript device, which allowed arbitrary shell commands to be executed. For example, to run the id utility in a document, just enter the string "(%pipe%/tmp/&id)(w)file" or "(%pipe%/tmp/;id)(r)file".
Recall that the vulnerabilities in Ghostscript pose an increased risk, since this package is used in many popular applications for processing PostScript and PDF formats. For example, Ghostscript is called when creating desktop thumbnails, when indexing data in the background, and when converting images. For a successful attack, in many cases, simply downloading the exploit file or browsing the directory with it in a file manager that supports displaying document thumbnails, such as Nautilus, is enough.
Vulnerabilities in Ghostscript can also be exploited through image processors based on the ImageMagick and GraphicsMagick packages by passing them a JPEG or PNG file that contains PostScript code instead of an image (such a file will be processed in Ghostscript, since the MIME type is recognized by the content, and without relying on the extension).
Source: opennet.ru