← back
CVE-2017-8291

CVE-2017-8291

CVSS 7.8 HIGHEPSS 97.0%● KEVCWE-843
In short

Ghostscript had a security bypass that allowed attackers to execute commands on a computer by tricking the program with a specially crafted document. Even when security protections were turned on, a malicious file could still run dangerous code.

Technical detail

A type confusion vulnerability in Ghostscript's parameter handling allowed attackers to bypass the -dSAFER sandbox restriction through crafted .eps files containing /OutputFile (%pipe% directives. This enabled arbitrary command execution with the privileges of the gs process, exploitable via remote document processing.

Summary generated and translated by AI from the official description.
Artifex Ghostscript through 2017-04-26 allows -dSAFER bypass and remote command execution via .rsdparams type confusion with a "/OutputFile (%pipe%" substring in a crafted .eps document that is an input to the gs program, as exploited in the wild in April 2017.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/a
public PoCs found6
githubgithub.com/shun1403/CVE-2017-82910githubgithub.com/shun1403/PIL-CVE-2017-8291-study0githubgithub.com/hkcfs/PIL-CVE-2017-82910githubgithub.com/DaniilOrchikov/PIL-CVE-2017-82910cve_referencewww.exploit-db.com/exploits/41955/unverifiedexploitdbwww.exploit-db.com/exploits/41955unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://openwall.com/lists/oss-security/2017/04/28/2https://access.redhat.com/errata/RHSA-2017:1230https://bugs.ghostscript.com/show_bug.cgi?id=697808https://bugzilla.redhat.com/show_bug.cgi?id=1446063https://bugzilla.suse.com/show_bug.cgi?id=1036453https://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=04b37bbce174eed24edec7ad5b920eb93db4d47dhttps://security.gentoo.org/glsa/201708-06https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-8291https://www.exploit-db.com/exploits/41955/http://www.debian.org/security/2017/dsa-3838http://www.securityfocus.com/bid/98476