Attacker Value
Moderate
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2020-15900

Disclosure Date: July 28, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The ‘rsearch’ calculation for the ‘post’ size resulted in a size that was too large, and could underflow to max uint32_t. This was fixed in commit 5d499272b95a6b890a1397e11d20937de000d31b.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

From NVD:

A memory corruption issue was found in Artifex Ghostscript 9.50 and 9.52. Use of a non-standard PostScript operator can allow overriding of file access controls. The ‘rsearch’ calculation for the ‘post’ size resulted in a size that was too large, and could underflow to max uint32_t.

GhostScript is a pretty popular engine for Postscript and PDF documents. A critical feature of this is the sandbox which makes it safe to view documents received from untrusted sources. Escaping from the sandbox would all a malicious user to leverage dangerous functions that are builtin that can allow arbitrary file reading and writing along with OS command execution in certain environments.

The sandbox escape can be performed by leveraging the underflow to access memory outside the permissible boundary. By reading key locations, a specially crafted malicious document could corrupt the flag that controls the sandbox.

A weaponized version of this exploit would likely need to tell if it’s on Windows or LInux, which may be able to be determined at runtime by performing a file read and handling failures using well known file paths as the target.

See: https://insomniasec.com/blog/ghostscript-cve-2020-15900

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • artifex,
  • canonical,
  • opensuse

Products

  • ghostscript 9.50,
  • ghostscript 9.52,
  • leap 15.1,
  • leap 15.2,
  • ubuntu linux 20.04
Technical Analysis