How to find type confusion vulnerabilities in Ghostscript

On-Demand Webinar

Ghostscript, the core utility for viewing PDF on many systems, was first developed in 1986 by Peter Deutsch (who now is a musical composer).

Type confusion issues in Ghostscript are not new. In 2016, Tavis Ormandy from Google Project Zero reported a number of vulnerabilities in Ghostscript, one of which is caused by type confusion. In August 2018, Tavis again uncovered critical RCEs on anyone opening a malicious PDF file in Ghostscript, including three type confusions. Then in November 2018, Man Yue Mo, Security Researcher at Semmle used variant analysis to discover similar critical issues reported in CVE-2018-19475, CVE-2018-19134, CVE-2018-19476 and CVE-2018-19477.

In this webinar, Pavel Avgustinov, VP Engineering at Semmle will share:

  • How to find type confusions using Semmle’s query language QL
  • Proof of concept to construct an arbitrary code execution exploit for CVE-2018-19134, a vulnerability caused by type confusion

Pavel Avgustinov - VP Engineering, Semmle