Re: CVE-2017-8291 ghostscript remote code execution

[redrain root <rootredrain () gmail com>]

nope~
I know this issue is a type confusion similar to your initialized dsc
parser
for example
The last previous vulnerability code exists in the
zinitialize_dsc_parser(). The method gets the memory data using
dict_memory() and treats it as an object to call its gs_alloc_struct()
method.
in the Evince code execution demo,  uses ghostscript (libgs.so) as the .ps
file processor
and another demo attack imagick is the shell command injection vuln.

and CVE-2017-8291 is a part of my exploit last year it also affect some
programs use ghostscript
that's why I use Evince as the example.

Regards,
redrain



2017-04-29 13:36 GMT+08:00 Tavis Ormandy <taviso () google com>:

> On Fri, Apr 28, 2017 at 7:43 PM, redrain root <rootredrain () gmail com>
> wrote:
> > what a awkward??
> > I have discovered a part of my vulns about ghostscript last year and
> > exploited in fulldisclosure early!
> > and these vulns are part of mine I was going to discovered these in
> defcon
> > or other conference...WTF...
> > u guys are logo designer???
> >
> > there are two demos last year
> > Evince Arbitrary Code Execution https://youtu.be/wzcrHXngfcM Attack
> Imagick
> > through Ghostscript https://youtu.be/tPGm_ANDyOw
>
> I don't think so, that is CVE-2016-7976 and is entirely unrelated to
> the issue being discussed, other than superficial similarity of the
> exploit.
>
> That issue was reported by me, and we discussed the ImageMagick and
> evince attack vectors at the time, you can check the archives if
> you're interested.
>
> http://seclists.org/oss-sec/2016/q4/29
>
> This issue (CVE-2017-8291) is a type confusion vulnerability (well,
> technically two vulnerabilities), and was found in the wild.
>
> Tavis.