Researchers have uncovered vulnerabilities in the widely deployed Ghostscript package that allows bad actors to remotely take control of vulnerable systems. There's no current patch available for the multiple flaws discovered.
Ghostscript is a suite of tools used by hundreds of software suites and coding libraries, which allows desktop software and web servers to handle Adobe Systems' PostScript and PDF page description languages.
Multiple bypass vulnerabilities, disclosed Tuesday, exist in the suite's optional -dSAFER feature, which is ironically supposed to prevent unsafe PostScript operations. By causing Ghostscript (or a program leveraging Ghostscript) to parse a specially-crafted malicious file, a remote, unauthenticated attacker may be able to execute arbitrary commands with the privileges of the Ghostscript code.
(Score: 0) by Anonymous Coward on Thursday August 23 2018, @10:44AM (2 children)
If a mail server runs something like Spam Assassin, which may use libgs to read certain file types for malicious code, will it run the embedded commands that are used to take advantage of these vulnerabilities? In other words, can sending an infected attachment to someone infect the mail server?
(Score: 1, Informative) by Anonymous Coward on Thursday August 23 2018, @11:15AM
I think maybe you mean clamav my man.
(Score: 0) by Anonymous Coward on Thursday August 23 2018, @07:41PM
If you are running a Linux or Unix server and have either SpamAssassin or ClamAV setup correctly, then they have read-only access to their configs and definitions and cannot make outgoing network connections. The only have write access to their sockets used for IPC. Best-case scenario for infection in a situation like that would be chaining an attack, such that the ClamAV scanner executes arbitrary code. That code would either have to have a kernel privilege escalation attack to allow the process to break out or cause the replies on the socket to the caller to contain an exploit that causes that to execute arbitrary code, which would allow a horizontal privilege escalation. HOWEVER, ClamAV and SpamAssassin and most other milters wouldn't be parsing the PDF/PS file and running the code directly, but rather doing some sort of signature analysis.