gsview: -dSAFER not used
I was planning to test the exploit for <a href="/p/project-zero/issues/detail?id=1640" title="ghostscript: multiple gsview: -dSAFER not used
I was planning to test the exploit for <a href="/p/project-zero/issues/detail?id=1640" title="ghostscript: multiple critical vulnerabilities, including remote command execution" class="closed_ref" rel="nofollow"> bug 1640 </a> against gsview, the official ghostscript viewer, but it turns out systemdict /SAFER get returns false.
That means opening a file in gsview is equivalent to running arbitrary code, the obvious attack is doing something like:
(C:/Users/foo/Start Menu/Startup/exploit.bat) (w) file dup (calc.exe) writestring closefile
I don't think it's clear from the documentation that you cannot open untrusted files, and I can't find any configuration setting to enable the SAFER sandbox.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
Found by: taviso