Hello, welcome to the Friday, January 25th, 2019 edition of the Sansonet Storms and a Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

November last year, GoScript released version 9.26, and today Travis Armandy with Google did release advisory detailing some

remote code execution vulnerabilities in GoScript. Now, if you're not familiar with GoScript,

GoScript is an open-sourced postscript interpreter and well-post script is a fairly complex language.

Actually, Travis's post goes into some detail in how, for example, functions are being defined

in this language.

And this latest version of GoScript doesn't protect this correctly.

So this is how remote code execution can happen. Travis did also

offer proof of concept code and it could be exploited via various tools that are commonly used to

look at PostScript documents. Then you may say, hey, I don't use PostScript and I don't use

GoScript. Well, the problem is that

GoScript is one of those basic libraries that's used to parse these documents, often also

used by security tools and such. So I wouldn't count it out, even if you are not really familiar

with GoScript, you may be using it as part of some third-party tool and this

third-party tool may expose you to these exploits.

A patch hasn't been made public yet, but Travis did offer some pull requests to the Ghost

script project that should fix these vulnerabilities. And Dutch researcher, Durkian Molima, did come up with an

interesting way to combine three known vulnerabilities to actually leverage access to Microsoft

Exchange to get full domain admin control. Like I said, it's really sort of three problems that are being used here, but probably

the most critical part is that exchange does actually use quite high privileges in its

active directory domain.

...