[TheRecord] Ghostscript zero-day allows full server compromises

Proof-of-concept exploit code was published online over the weekend for an unpatched Ghostscript vulnerability that puts all servers that rely on the component at risk of attacks.

Published by Vietnamese security researcher Nguyen The Duc, the proof-of-concept code is available on GitHub and was confirmed to work by several of today’s leading security researchers.

This is indeed a thing. https://t.co/W3yVcUnTJz pic.twitter.com/mDEih91fRa

— Will Dormann (@wdormann) September 5, 2021

Released back in 1988, Ghostscript is a small library that allows applications to process PDF documents and PostScript-based files.

While its primary use is for desktop software, Ghostscript is also used server-side, where it is typically included with image conversion and file upload processing toolkits, such as the popular ImageMagick.

The proof-of-concept code released by Nguyen on Sunday exploits this latter scenario, allowing an attacker to upload a malformed SVG file that escapes the image processing pipeline and runs malicious code on the underlying operating system.

While Nguyen released the public exploit for this bug, he is not the one who discovered the vulnerability.

The person who did is Wunderfund CTO and founder Emil Lerner, who found the bug last year and used it to obtain bug bounties from companies like Airbnb, Dropbox, and Yandex.

Details about the vulnerability leaked into the public domain last month after Lerner held a talk at the ZeroNight X security conference about the current attack vector posed by server-side image conversion tools and used the Ghostscript zero-day as an example.

Here’re slides from my talk at ZeroNights X! A 0-day for GhostScript 9.50, RCE exploit chain for ImageMagick with the default settings from Ubuntu repos and several bug bounty stories inside https://t.co/7JHotVa5DQ

— Emil Lerner (@emil_lerner) August 25, 2021

“Exploit seems to be correct,” Lerner told The Record yesterday in a private conversation when asked about Nguyen’s proof-of-concept.

The researcher told The Record that he was not aware of any patch for the Ghostscript vulnerability prior to Nguyen’s release of the public exploit.

Artifex, the company behind the Ghostscript project, did not return a request for comment sent on Monday via their website.

This is the second time the Ghostscript project is in the news because of security issues. In August 2018, a Google security researcher discovered multiple critical vulnerabilities in the Ghostscript library that Artifex failed to patch in time. The company did, however, release fixes two days later after the Ghostscript security issues were broadly exposed.

The post Ghostscript zero-day allows full server compromises appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[SecurityWeek] Vendor Survey vs Reality on SASE Implementation

All posts, Security Week

Gartner believes it will be four years before the market achieves two-thirds of the position a WSJ Intelligence and Forcepoint survey says is already achieved read more Source: Read More (SecurityWeek RSS Feed)

Read More

[HackerNews] ProtonMail Shares Activist’s IP Address With Authorities Despite Its “No Log” Policy

All posts, HackerNews

End-to-end encrypted email service provider ProtonMail has drawn criticism after it ceded to a legal request and shared the IP address of anti-gentrification activists with law enforcement authorities, leading to their arrests in France. The Switzerland-based company said it received a “legally binding order from the Swiss Federal Department of Justice” related to a collective called Youth for […]

Read More

[HackerNews] APT Hackers Distributed Android Trojan via Syrian e-Government Portal

All posts, HackerNews

An advanced persistent threat (APT) actor has been tracked in a new campaign deploying Android malware via the Syrian e-Government Web Portal, indicating an upgraded arsenal designed to compromise victims. “To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.