GoKawiilPublished on Fri 27 February 2026 by @sigabrt9
Introduction
A few months ago, I came across a bug bounty program for an application that uses Apache FOP (Formatting Objects Processor) to generate PostScript files from user supplied XML, then runs GhostScript to generate a PDF. This feature seemed really appealing and very bug prone.
For reminder, PostScript is a Turing complete page description language, that can also interact with the underlying system. The complete specification for PostScript can be found here. The most used interpreter for PostScript is the GhostScript project, which can be used on both Windows and Linux. In general, web applications can use GhostScript to perform modifications on PDF files (merging PDF, reducing its size, etc.), to generate PDF from another format or to perform operation on images in the PostScript format.
As GhostScript often deals with user supplied input, it implements a sandbox ( -dSAFER enabled by default on recent versions), forbidding access to the underlying operating system. However, even with the sandbox, it is still possible to access the temporary folders (and others) through PostScript and retrieve the content of the files present, which can be, in some contexts, very impactful.
Note that, even with the sandbox, it is not recommended to process user-supplied input with GhostScript.
Context
The target application was using C#/.Net and took user-supplied XML files, combined with a server-side stylesheet (.xsl) resulting in an XSL Formatting object document. Afterwards, Apache FOP was used to transform these files into PostScript files, and finally GhostScript was used to generate and return the final PDF.
These Docker files were created as a pwn exercise: they mimic the behavior of the application: the provided name is used in a generated PDF that displays Hello ${name} . The goal is to extract a flag located in /tmp .
This issue was found with the help of the Jazzer fuzzer. A simple harness calling Apache FOP to perform transformation from a FO file to PostScript, then running GhostScript on every generated PostScript file and crashing only when GhostScript failed to parse the PostScript file.
... continue reading