gsview: -dSAFER not used 




I was planning to test the exploit for <a href="/p/project-zero/issues/detail?id=1640" title="ghostscript: multiple critical vulnerabilities, including remote command execution" class="closed_ref" rel="nofollow"> bug 1640 </a> against gsview, the official ghostscript viewer, but it turns out systemdict /SAFER get returns false.

That means opening a file in gsview is equivalent to running arbitrary code, the obvious attack is doing something like:

(C:/Users/foo/Start Menu/Startup/exploit.bat) (w) file dup (calc.exe) writestring closefile

I don't think it's clear from the documentation that you cannot open untrusted files, and I can't find any configuration setting to enable the SAFER sandbox.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.




Found by: taviso