Attacker Value

Very High

(1 user assessed)

Exploitability

High

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2024-29510

Disclosure Date: July 03, 2024 •

CVE-2024-29510

Exploited in the Wild

Reported by ccondon-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/multi/fileformat/ghostscript_format_string_cve_2024_29510

Description

Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device.

Add Assessment

cdelafuente-r7 (92)

August 13, 2024 10:25am UTC (1 month ago)•Edited 1 month ago

Ratings

Attacker Value

Very High

Exploitability

High

Common in enterprise Unauthenticated Vulnerable in default configuration

Technical Analysis

Ghostscript is vulnerable to a critical format string vulnerability that affects versions before 10.03.1. An attacker could leverage this vulnerability to disable the SAFER sandbox and execute arbitrary code through the Ghostscript interpreter. The SAFER protection is enabled by default from version 9.50 and implements multiple sandbox functionalities restricting various dangerous operations, such as command execution via the use of %pipe%command. An attacker could exploit this format string vulnerability to disable this protection and escape the sandbox, leading to remote code execution.

The issue lies in the upd_wrtrtl() function, which can be reached by selecting the uniprint device. The upYMoveCommand and upWriteComponentCommands device parameters are used as a format string for the gs_snprintf() function, a custom implementation of the regular libc snprintf(). Please, refer to this excellent write-up for further details.

What makes this vulnerability even more dangerous is the fact that Ghostscript is used by libraries such as ImageMagick, often used by web applications to handle and convert images or documents. An attacker could simply upload a malicious Postscript file and gain remote code execution on the web server. A Metasploit module exists and can be used to test if Ghostscript is vulnerable.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

Metasploit Modules

exploit/multi/fileformat/ghostscript_format_string_cve_2024_29510 (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/fileformat/ghostscript_format_string_cve_2024_29510.rb)

Exploited in the Wild

Reported by:

ccondon-r7 indicated source as Other: Mastodon post (https://hachyderm.io/@llimllib/112722578840238142)

Reported: August 06, 2024 3:06pm UTC (1 month ago)

References

Canonical

CVE-2024-29510 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-29510)

Miscellaneous

https://bugs.ghostscript.com/show_bug.cgi?id=707662

https://www.openwall.com/lists/oss-security/2024/07/03/7

https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/

Rapid7

Very High

CVE-2024-29510

Very High

High

Unknown

Unknown

Unknown

CVE-2024-29510

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Metasploit Modules

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2024-29510

Very High

High

Unknown

Unknown

Unknown

CVE-2024-29510

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Metasploit Modules

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification