CVE-2008-0411

Ghostscript < 8.61 - Remote Code Execution via Long Range Array in .seticcspace Operator

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0411. PoCs published by Will Drewry.

AI-analyzed exploit summary This exploit targets a buffer overflow in Ghostscript's .seticcspace function by encoding shellcode as floats to overflow a statically allocated array. It generates a malicious PostScript file that triggers arbitrary code execution when processed by vulnerable Ghostscript versions.

Description

Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Will Drewry · cremotelinux

https://www.exploit-db.com/exploits/31309

View Code ZIP pw:eip

This exploit targets a buffer overflow in Ghostscript's .seticcspace function by encoding shellcode as floats to overflow a statically allocated array. It generates a malicious PostScript file that triggers arbitrary code execution when processed by vulnerable Ghostscript versions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ghostscript 8.61 and earlier

No auth needed

Prerequisites: Vulnerable Ghostscript version · Address of 'jmp *%esp' in the binary

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (27)

Core 27

Core References

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29103

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/usn-599-1

Patch vendor-advisory x_refsource_gentoo

http://www.gentoo.org/security/en/glsa/glsa-200803-14.xml

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29154

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29196

Broken Link, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/488946/100/0/threaded

Not Applicable vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/0693/references

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29314

Broken Link, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/488932/100/0/threaded

Broken Link vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9557

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29101

Broken Link x_refsource_confirm

http://wiki.rpath.com/Advisories:rPSA-2008-0082

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29112

Mailing List, Third Party Advisory vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00009.html

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29147

Third Party Advisory vendor-advisory x_refsource_mandriva

http://www.mandriva.com/security/advisories?name=MDVSA-2008:055

Broken Link x_refsource_confirm

https://issues.rpath.com/browse/RPL-2217

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29768

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1019511

Patch vendor-advisory x_refsource_debian

http://www.debian.org/security/2008/dsa-1510

URL Repurposed vendor-advisory x_refsource_redhat

http://www.redhat.com/support/errata/RHSA-2008-0155.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/28017

Exploit x_refsource_misc

http://scary.beasts.org/security/CESA-2008-001.html

Release Notes, Third Party Advisory vendor-advisory x_refsource_fedora

https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00085.html

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29135

URL Repurposed third-party-advisory x_refsource_secunia

http://secunia.com/advisories/29169

Mailing List vendor-advisory x_refsource_slackware

http://slackware.com/security/viewer.php?l=slackware-security&y=2008&m=slackware-security.370633

Scores

EPSS 0.1441

EPSS Percentile 96.2%

Details

CWE

CWE-119

Status published

Products (4)

ghostscript/ghostscript 0

ghostscript/ghostscript 8.0.1

ghostscript/ghostscript 8.15

ghostscript/ghostscript < 8.61

Published Feb 28, 2008

Tracked Since Feb 18, 2026