Artifex Ghostscript .rsdparams Operator Handling Type Confusion RCE
Medium Nessus Plugin ID 100356
SynopsisThe remote Windows host contains a library that is affected by a remote command execution vulnerability.
DescriptionThe version of Artifex Ghostscript installed on the remote Windows host is 9.21 or earlier. It is, therefore, affected by a type confusion error when handling the '.rsdparams' operator with a '/OutputFile (%pipe%' substring. An unauthenticated, remote attacker can exploit this, via a specially crafted EPS file, to bypass the
-dSAFER sandbox and execute arbitrary commands.
SolutionRefer to bug 697799 for possible workarounds or patches. A fixed version of Ghostscript reportedly is scheduled for release in September of 2017.