[TheRecord] Ghostscript zero-day allows full server compromises

Proof-of-concept exploit code was published online over the weekend for an unpatched Ghostscript vulnerability that puts all servers that rely on the component at risk of attacks.

Published by Vietnamese security researcher Nguyen The Duc, the proof-of-concept code is available on GitHub and was confirmed to work by several of today’s leading security researchers.

This is indeed a thing. https://t.co/W3yVcUnTJz pic.twitter.com/mDEih91fRa

— Will Dormann (@wdormann) September 5, 2021

Released back in 1988, Ghostscript is a small library that allows applications to process PDF documents and PostScript-based files.

While its primary use is for desktop software, Ghostscript is also used server-side, where it is typically included with image conversion and file upload processing toolkits, such as the popular ImageMagick.

The proof-of-concept code released by Nguyen on Sunday exploits this latter scenario, allowing an attacker to upload a malformed SVG file that escapes the image processing pipeline and runs malicious code on the underlying operating system.

While Nguyen released the public exploit for this bug, he is not the one who discovered the vulnerability.

The person who did is Wunderfund CTO and founder Emil Lerner, who found the bug last year and used it to obtain bug bounties from companies like Airbnb, Dropbox, and Yandex.

Details about the vulnerability leaked into the public domain last month after Lerner held a talk at the ZeroNight X security conference about the current attack vector posed by server-side image conversion tools and used the Ghostscript zero-day as an example.

Here’re slides from my talk at ZeroNights X! A 0-day for GhostScript 9.50, RCE exploit chain for ImageMagick with the default settings from Ubuntu repos and several bug bounty stories inside https://t.co/7JHotVa5DQ

— Emil Lerner (@emil_lerner) August 25, 2021

“Exploit seems to be correct,” Lerner told The Record yesterday in a private conversation when asked about Nguyen’s proof-of-concept.

The researcher told The Record that he was not aware of any patch for the Ghostscript vulnerability prior to Nguyen’s release of the public exploit.

Artifex, the company behind the Ghostscript project, did not return a request for comment sent on Monday via their website.

This is the second time the Ghostscript project is in the news because of security issues. In August 2018, a Google security researcher discovered multiple critical vulnerabilities in the Ghostscript library that Artifex failed to patch in time. The company did, however, release fixes two days later after the Ghostscript security issues were broadly exposed.

The post Ghostscript zero-day allows full server compromises appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[ZDNet] NVIDIA investigating cybersecurity incident

All posts, ZDNet

The company released a barebones response to a report that developers have faced two days of outages. Source: Read More (Latest topics for ZDNet in Security)

Read More

Daily NCSC-FI news followup 2021-06-18

Ransomware Actors Evolved Their Operations in 2020 www.crowdstrike.com/blog/ransomware-actors-evolved-operations-in-2020/ The year 2020 was marked by the trend continuing at an accelerated rate. The advancements by eCrime actors include refinement and application of high-pressure extortion tactics on victim organizations and the sharing or copying of new techniques among different ransomware groups, in addition to a marked increase […]

Read More

[SecurityWeek] Microsoft Patches 128 Windows Flaws, New Zero-Day Reported by NSA

All posts, Security Week

Microsoft on Tuesday issued a warning for an in-the-wild zero-day attack hitting Windows users and raised eyebrows when it credited the U.S. government National Security Agency (NSA) with reporting the live exploitation. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.