GhostRule

This is a series of exploits that bypass SAFER mode of Ghostscript.

Ghostscript <= 9.2x

The PoC codes shown below allow you to get command execution or file I/O at the privilege of the process even if Ghostscript is running on SAFER mode.
However, all of them bypass the protection by overwriting the security flags in systemdict therefore they have no longer effect against recent Ghostscript(>= 9.50) that have started employing the new SAFER implementation that prevents critical dictionaries from overwriting (refer to commit 79a06b).

"Rule #1": A .forceput exposure from .pdf_hook_DSC_Creator (CVE-2019-14811)

CVE-2019-14811 is a .forceput exposure from .pdf_hook_DSC_Creator and 'ghostrule1.ps' is the exploit for it.

Credit: @hhc0null

"Rule #2": A .forceput exposure from setuserparams (CVE-2019-14812)

CVE-2019-14812 is a .forceput exposure from setuserparams and 'ghostrule2.ps' is the exploit for it.

Credit: @hhc0null

"Rule #3": A .forceput exposure from setsystemparams (CVE-2019-14813)

CVE-2019-14813 is a .forceput exposure from setsystemparams and 'ghostrule3.ps' is the exploit for it.

Credit: @hhc0null

"Rule #4": A .forceput exposure from .buildfont1 (CVE-2019-10216)

CVE-2019-10216 is a .forceput exposure from buildfont1 and 'ghostrule4.ps' is the exploit for it.

Credit: Artifex Software and Netanel (Cloudinary) as the "original" reporter...???

"Rule #5": '???'

I'm not so ethical thus I'm keeping the technique to grow its 'lifetime' <3

---

The name is from: