oss-sec mailing list archives
Re: CVE-2017-8291 ghostscript remote code execution
From: redrain root <rootredrain () gmail com>
Date: Sat, 29 Apr 2017 19:24:09 +0800
nope~ I know this issue is a type confusion similar to your initialized dsc parser for example The last previous vulnerability code exists in the zinitialize_dsc_parser(). The method gets the memory data using dict_memory() and treats it as an object to call its gs_alloc_struct() method. in the Evince code execution demo, uses ghostscript (libgs.so) as the .ps file processor and another demo attack imagick is the shell command injection vuln. and CVE-2017-8291 is a part of my exploit last year it also affect some programs use ghostscript that's why I use Evince as the example. Regards, redrain 2017-04-29 13:36 GMT+08:00 Tavis Ormandy <taviso () google com>:
On Fri, Apr 28, 2017 at 7:43 PM, redrain root <rootredrain () gmail com> wrote:what a awkward?? I have discovered a part of my vulns about ghostscript last year and exploited in fulldisclosure early! and these vulns are part of mine I was going to discovered these indefconor other conference...WTF... u guys are logo designer??? there are two demos last year Evince Arbitrary Code Execution https://youtu.be/wzcrHXngfcM AttackImagickthrough Ghostscript https://youtu.be/tPGm_ANDyOwI don't think so, that is CVE-2016-7976 and is entirely unrelated to the issue being discussed, other than superficial similarity of the exploit. That issue was reported by me, and we discussed the ImageMagick and evince attack vectors at the time, you can check the archives if you're interested. http://seclists.org/oss-sec/2016/q4/29 This issue (CVE-2017-8291) is a type confusion vulnerability (well, technically two vulnerabilities), and was found in the wild. Tavis.
Current thread:
- CVE-2017-8291 ghostscript remote code execution Marcus Meissner (Apr 27)
- <Possible follow-ups>
- Re: CVE-2017-8291 ghostscript remote code execution security (Apr 27)
- Re: CVE-2017-8291 ghostscript remote code execution Kurt H Maier (Apr 28)
- Re: CVE-2017-8291 ghostscript remote code execution David Black (Apr 28)
- Re: CVE-2017-8291 ghostscript remote code execution redrain root (Apr 28)
- Re: CVE-2017-8291 ghostscript remote code execution Tavis Ormandy (Apr 28)
- Re: CVE-2017-8291 ghostscript remote code execution redrain root (Apr 29)
- Re: CVE-2017-8291 ghostscript remote code execution Kurt H Maier (Apr 28)