Monday, August 21, 2023

PDFCreator hit the Ghostscript 9.8/10 RCE vulnerability (CVE-2023-36664) - it just release 5.1.2 on 21 Aug 2023 to fix this issue (Very fast)

Background:

In 13 Jul 2023, Security researchers have discovered a critical vulnerability (CVE-2023-36664) in Ghostscript, an open-source interpreter for PostScript language and PDF files widely used in Linux and Windows's Open Source application. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

 

In 14 Aug 2023, the POC of this vulnerability have been released. https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection?s=03 

 

(Basically all PDF Printer using Ghostscript will hit this vulnerability unless it is using 10.01.2)

 

Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code through a specially crafted file due to improper handling of permission validation for pipe devices.

 

The vulnerability affects all versions of Ghostscript before 10.01.2. Applications on other operating systems, such as Windows, that use a port of affected Ghostscript versions also inherit this vulnerability.

 

Users and administrators of Linux systems are advised to upgrade to the latest version of Ghostscript, 10.01.2, using their distribution's package manager.

 

Users and administrators of open-source software that use ports of Ghostscript, such as LibreOffice, GIMP, Inkscape, Scribus, and ImageMagick, are advised to update to the latest versions when they are made available.

 

Sigma rules to detect possible exploitation of CVE-2023-36664 are available at https://github.com/KrollCYB/Kroll-CYB/tree/main/CVE-2023-36664.

More information is available here:

https://www.kroll.com/en/insights/publications/cyber/ghostscript-cve-2023-36664-remote-code-execution-vulnerability

https://www.bleepingcomputer.com/news/security/critical-rce-found-in-popular-ghostscript-open-source-pdf-library/

 

For open-source software on Windows that use ports of Ghostscript, the process of moving to the latest version may take longer, thus extra caution is advised for Windows installations.

https://vulnera.com/newswire/critical-remote-code-execution-vulnerability-discovered-in-ghostscript-pdf-library/

 

POC:

https://github.com/jakabakos/CVE-2023-36664-Ghostscript-command-injection?s=03 

 

 

Reference:

https://www.pdfforge.org/blog/pdfcreator-51-release

5.1.1 latest version which is released on May 15, 2023

https://www.pdfforge.org/blog/pdf-creator-5-1-1-maintenance-release

https://cn-sec.com/archives/1874078.html

https://www.csa.gov.sg/alerts-advisories/alerts/2023/al-2023-095

 

PDFCreator 5.1.2 have been released on 2023-08-21 to fix this vulnerability

 

https://docs.pdfforge.org/pdfcreator/en/pdfcreator/introduction/whats-new/

 

Stable Release 5.1.2 published on 2023-08-21

https://download.pdfforge.org/

 

Print Friendly and PDF
Share/Bookmark

Saturday, August 12, 2023

WPS Office Zero Day Vulnerability on 7 Aug 2023 - workaround on network level but have side effect

Solution:

Block *.wps.cn on firewall, since the attacker use the vulnerability to redirect the WPS to xxxwps.cn, then trigger the attack by exploit the vulnerability.

 

Drawback:

Cannot use some wps cloud service, function and features (e.g. 云文档等功能)

 

Print Friendly and PDF
Share/Bookmark

Massive deploy WPS 2019 Zero day vulnerability on 7 Aug 2023 workaround

1. ReplacePreferences_en.bat脚本与"Preferences"文件放到同一文件内;

2. ReplacePreferences_en.bat脚本;

3. 如果提示"Replace Success"成功

 

*The file "Preferences" can be copy from one of the machine which is manually change the configuration successfully, and the file under "%appdata%\kingsoft\wps\addons\data\win-i386\promebrowser"

 

If you did not find the file and/or folder "wps" under "%appdata%\kingsoft", that mean you did not click the option center (Settings) before.

 

 

 

"ReplacePreferences_en.bat"

 

@echo off

REM 行前需确保此bat和替Preferences文件在同一文件

REM dst路径,云桌面用如果%appdata%路径在网路径中,需要自己修改为对应dst, 也需要对应修改wpsPath

set dst=%appdata%\kingsoft\wps\addons\data\win-i386\promebrowser

set wpsPath=%appdata%\kingsoft\wps

 

if not exist %dst% (

              goto createPath

              ) else (

                           goto replaceFile

              )

goto end

 

:createPath

              if not exist %dst% (

                                         mkdir %dst%

                           )

              goto replaceFile

              )

 

:replaceFile

if exist .\Preferences (

              taskkill /f /im wpscloudsvr.exe

              taskkill /f /im wps.exe

              taskkill /f /im wpp.exe

              taskkill /f /im et.exe

              taskkill /f /im wpspdf.exe

              taskkill /f /im wpsupdate.exe

              taskkill /f /im updateself.exe

              taskkill /f /im ktpcntr.exe

              taskkill /f /im wpsoffice.exe

              if exist %dst%\Preferences (

                           del %dst%\Preferences

              )

              copy .\Preferences %dst%

              goto replaceSuccess

)

goto replaceFileNotExist

 

:replaceFileNotExist

echo Preferences File Not Exist!

goto end

 

:replaceSuccess

echo Replace Success

goto end

 

:end

pause

 

Print Friendly and PDF
Share/Bookmark

Cannot show simplified chinese in notepad

Problem:

 

Solution:

 

 

Press Language & Region on the left, then click Administrative Language Settings under the Related Settings section. The Region window will open up to the Administrative tab. Under the "Language for non-Unicode Programs" section, click the Change System Locale button, - change it to "Chinese (Simplified, Mainland China)

 

After that, it will able to show simplified chinese in notepad:

 

 

 

Print Friendly and PDF
Share/Bookmark

Friday, August 11, 2023

WPS Office Zero Day Vulnerability on 7 Aug 2023

Affected Version:

WPS Office 2023 Personal Edition < 11.1.0.15120

WPS Office 2019 Corporate Edition < 11.8.2.12085

 

Solution:

  1. Upgrade to latest versions
  2. Apply workaround, under option center, website browsing settings:

 

 

CHS edition Personal: 目前官网最新版本15324可以行下

CHS edition Corporate: 目前官网最新版本12085可以行下

ENG and CHT are still under development

 

Reference:

https://security.wps.cn/notices/35

 

Print Friendly and PDF
Share/Bookmark