高危 Artifex Ghostscript 命令执行漏洞

CVE编号

CVE-2019-6116

利用情况

POC 已公开

补丁情况

官方补丁

披露时间

2019-03-22

漏洞描述

结果发现，当伪运算符推送子程序时，ghostscript可能会泄漏操作数堆栈上的敏感运算符。特制的PostScript文件可以使用此缺陷来转义-dSAFER保护，以便达到相关目的。例如可以访问文件系统并执行命令。

解决建议

用户可联系供应商获得补丁信息：https://www.ghostscript.com/

参考链接
http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2019-01/msg00048.html
http://packetstormsecurity.com/files/151307/Ghostscript-Pseudo-Operator-Remot...
http://packetstormsecurity.com/files/152367/Slackware-Security-Advisory-ghost...
http://www.openwall.com/lists/oss-security/2019/01/23/5
http://www.openwall.com/lists/oss-security/2019/03/21/1
http://www.securityfocus.com/bid/106700
https://access.redhat.com/errata/RHBA-2019:0327
https://access.redhat.com/errata/RHSA-2019:0229
https://bugs.chromium.org/p/project-zero/issues/detail?id=1729
https://bugs.ghostscript.com/show_bug.cgi?id=700317
https://lists.debian.org/debian-lts-announce/2019/02/msg00016.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://seclists.org/bugtraq/2019/Apr/4
https://security.gentoo.org/glsa/202004-03
https://usn.ubuntu.com/3866-1/
https://www.debian.org/security/2019/dsa-4372
https://www.exploit-db.com/exploits/46242/

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	artifex	ghostscript	*		Up to (including) 9.26
	运行在以下环境
	系统	alibaba_cloud_linux_2.1903	ghostscript-debuginfo	*		Up to (excluding) 9.07-31.7.al7.9
	运行在以下环境
	系统	alpine_3.10	ghostscript	*		Up to (excluding) 9.26-r2
	运行在以下环境
	系统	alpine_3.11	ghostscript	*		Up to (excluding) 9.26-r2
	运行在以下环境
	系统	alpine_3.12	ghostscript	*		Up to (excluding) 9.26-r2
	运行在以下环境
	系统	alpine_3.13	ghostscript	*		Up to (excluding) 9.26-r1
	运行在以下环境
	系统	alpine_3.14	ghostscript	*		Up to (excluding) 9.26-r1
	运行在以下环境
	系统	alpine_3.15	ghostscript	*		Up to (excluding) 9.26-r1
	运行在以下环境
	系统	alpine_3.16	ghostscript	*		Up to (excluding) 9.26-r1
	运行在以下环境
	系统	alpine_3.17	ghostscript	*		Up to (excluding) 9.26-r1
	运行在以下环境
	系统	alpine_3.18	ghostscript	*		Up to (excluding) 9.26-r1
	运行在以下环境
	系统	alpine_3.6	ghostscript	*		Up to (excluding) 9.26-r2
	运行在以下环境
	系统	alpine_3.7	ghostscript	*		Up to (excluding) 9.26-r2
	运行在以下环境
	系统	alpine_3.8	ghostscript	*		Up to (excluding) 9.26-r2
	运行在以下环境
	系统	alpine_3.9	ghostscript	*		Up to (excluding) 9.26-r2
	运行在以下环境
	系统	alpine_edge	ghostscript	*		Up to (excluding) 9.26-r1
	运行在以下环境
	系统	amazon_2	ghostscript	*		Up to (excluding) 9.25-5.amzn2
	运行在以下环境
	系统	centos_7	ghostscript	*		Up to (excluding) 9.07-31.el7_6.9
	运行在以下环境
	系统	debian_10	ghostscript	*		Up to (excluding) 9.26a~dfsg-1
	运行在以下环境
	系统	debian_11	ghostscript	*		Up to (excluding) 9.26a~dfsg-1
	运行在以下环境
	系统	debian_12	ghostscript	*		Up to (excluding) 9.26a~dfsg-1
	运行在以下环境
	系统	debian_sid	ghostscript	*		Up to (excluding) 9.26a~dfsg-1
	运行在以下环境
	系统	fedora_28	ghostscript-debuginfo	*		Up to (excluding) 9.26-3.fc28
	运行在以下环境
	系统	fedora_29	ghostscript-x11	*		Up to (excluding) 9.26-3.fc29
	运行在以下环境
	系统	fedora_30	ghostscript-x11	*		Up to (excluding) 9.26-3.fc30
	运行在以下环境
	系统	fedora_31	ghostscript-x11	*		Up to (excluding) 9.27-1.fc31
	运行在以下环境
	系统	opensuse_Leap_15.0	ghostscript-devel	*		Up to (excluding) 9.26a-lp150.2.12.1
	运行在以下环境
	系统	opensuse_Leap_42.3	ghostscript-9.26a	*		Up to (excluding) 14.15.1
	运行在以下环境
	系统	oracle_7	oraclelinux-release	*		Up to (excluding) 9.07-31.el7_6.9
	运行在以下环境
	系统	redhat_7	ghostscript	*		Up to (excluding) 9.07-31.el7_6.9
	运行在以下环境
	系统	suse_12	ghostscript	*		Up to (excluding) 9.26a-23.19
	运行在以下环境
系统	suse_12_SP3	ghostscript-x11-9.26a	*		Up to (excluding) 0.2.7-12.6.1
运行在以下环境
系统	suse_12_SP4	ghostscript-x11-9.26a	*		Up to (excluding) 0.2.7-12.6.1
运行在以下环境
系统	ubuntu_14.04	ghostscript	*		Up to (excluding) 9.26~dfsg+0-0ubuntu0.14.04.4
运行在以下环境
系统	ubuntu_14.04.6_lts	ghostscript	*		Up to (excluding) 9.26~dfsg+0-0ubuntu0.14.04.4
运行在以下环境
系统	ubuntu_16.04	ghostscript	*		Up to (excluding) 9.26~dfsg+0-0ubuntu0.16.04.4
运行在以下环境
系统	ubuntu_16.04.7_lts	ghostscript	*		Up to (excluding) 9.26~dfsg+0-0ubuntu0.16.04.4
运行在以下环境
系统	ubuntu_18.04	ghostscript	*		Up to (excluding) 9.26~dfsg+0-0ubuntu0.18.04.4
运行在以下环境
系统	ubuntu_18.04.5_lts	ghostscript	*		Up to (excluding) 9.26~dfsg+0-0ubuntu0.18.04.4
运行在以下环境
系统	ubuntu_18.10	ghostscript	*		Up to (excluding) 9.26~dfsg+0-0ubuntu0.18.10.4

阿里云评分 8.5

• 攻击路径 本地
• 攻击复杂度 容易
• 权限要求 无需权限
• 影响范围 全局影响
• EXP成熟度 POC 已公开
• 补丁情况 官方补丁
• 数据保密性 数据泄露
• 数据完整性 传输被破坏
• 服务器危害 服务器失陷
• 全网数量 N/A

CWE-ID	漏洞类型
NVD-CWE-noinfo

Exp相关链接

• https://github.com/vulhub/vulhub/tree/master/ghostscript/CVE-2019-6116
• https://www.exploit-db.com/exploits/46242

- avd.aliyun.com