Workaround for Multi Sandbox Bypass Holes

Wednesday, August 22, 2018 @ 11:08 AM gHale

There is a vulnerability called Ghostscript that is affecting various vendors and an attacker could exploit it to take control of an affected system, according to a report from NCCIC.

As a result, NCCIC released a warning to encourage users and administrators to apply necessary workarounds, and refer to vendors for appropriate patches, when available.

Lessons Learned One Year After Triton
Black Hat: Breaking Down Safety System Attack
Black Hat: Get to Root Cause
Forget Hyperbole: Stay True to Security Message

The Ghostscript malware contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

Ghostscript contains an optional –dSAFER option, which should prevent unsafe PostScript operations. Multiple PostScript operations bypass the protections provided by -dSAFER, which can allow an attacker to execute arbitrary commands with arbitrary arguments. This vulnerability can also be exploited in applications that leverage Ghostscript, such as ImageMagick.

By causing Ghostscript or a program that leverages Ghostscript to parse a specially-crafted file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code.

CERT Coordination Center (CERT/CC) is unaware of a practical solution to this problem. Along those lines, users should consider the following workarounds: Disable PS, EPS, PDF, and XPS coders in ImageMagick policy.xml.

Leave a Reply

You must be logged in to post a comment.