ghostrule's Introduction

GhostRule

This is a series of exploits that bypass SAFER mode of Ghostscript.

Ghostscript <= 9.2x

The PoC codes shown below allow you to get command execution or file I/O at the privilege of the process even if Ghostscript is running on SAFER mode.
However, all of them bypass the protection by overwriting the security flags in systemdict therefore they have no longer effect against recent Ghostscript(>= 9.50) that have started employing the new SAFER implementation that prevents critical dictionaries from overwriting (refer to commit 79a06b).

"Rule #1": A `.forceput` exposure from `.pdf_hook_DSC_Creator` (CVE-2019-14811)

CVE-2019-14811 is a .forceput exposure from .pdf_hook_DSC_Creator and 'ghostrule1.ps' is the exploit for it.

Credit: @hhc0null

"Rule #2": A `.forceput` exposure from `setuserparams` (CVE-2019-14812)

CVE-2019-14812 is a .forceput exposure from setuserparams and 'ghostrule2.ps' is the exploit for it.

Credit: @hhc0null

"Rule #3": A `.forceput` exposure from `setsystemparams` (CVE-2019-14813)

CVE-2019-14813 is a .forceput exposure from setsystemparams and 'ghostrule3.ps' is the exploit for it.

Credit: @hhc0null

"Rule #4": A `.forceput` exposure from `.buildfont1` (CVE-2019-10216)

CVE-2019-10216 is a .forceput exposure from buildfont1 and 'ghostrule4.ps' is the exploit for it.

Credit: Artifex Software and Netanel (Cloudinary) as the "original" reporter...???

"Rule #5": '???'

I'm not so ethical thus I'm keeping the technique to grow its 'lifetime' <3

The name is from:

ghostrule's People

Contributors

Stargazers

Watchers

ghostrule's Issues

ghostrule6.ps does not exploit CVE-2019-14869

This targets Ghostscript 9.26 and exploits superexec operator thus it isn't an exploit for CVE-2019-14869.
I confused it with another exploit code and I'm searching my drive for the appropriate one now.

Recommend Projects