GhostScript 0-day vulnerability allows server compromise

Sicherheit (Pexels, allgemeine Nutzung)[German]An unpatched vulnerability exists in GhostScript (up to v 9.50) that allows privilege escalation. Servers running the ImageMagick program are particularly at risk. These could be taken over by attackers. The vulnerability was discovered a year ago, but allegedly not reported to the developers. And now there is a proof-of-concept (PoC) to exploit the vulnerability via exploit. Since tools like ImageMagick use GhostScript internally and are used by many companies, admins should respond and update GhostScript


Advertising

What is GhostScript?

GhostScript is a free interpreter of the PostScript page description language and the Portable Document Format (PDF). GhostScript provides a programming interface with functions to render and print PostScript and PDF content. The product runs on UNIX, Mac OS X, VMS, Windows, OS/2 and Mac OS.

GhostScript is integrated in many drivers or tools for outputting documents in PDF format. The free software package ImageMagick for creating and editing raster and vector graphics also relies on GhostScript. GhostScript is offered by Artifex on this website.

0-day vulnerability and exploit

I already became aware of the issue yesterday via the following tweet from Catalin Cimpanu. The background is that a proof-of-concept for exploiting the vulnerability was published recently.

GhostScript 0-day

0-day RCE vulnerability in GhostScript 9.50

The discovery of an unpatched remote code execution (RCE) vulnerability in GhostScript 9.50 was made by Emil Lerner, founder and CTO of Wunderfund. The latter discovered the vulnerability in late 2020 and used that knowledge to collect bug bounties from companies such as Airbnb, Dropbox and Yandex. However, it appears that Lerner did not report the vulnerability to Artifex, the developer of GhostScript.


Advertising

ZeroNights X  talk about GhostScirpt 9.50 RCE

In the above tweet, Learner shares his presentation slides from his talk at ZeroNights X! There he goes into detail about a 0-day vulnerability in GhostScript 9.50, where he presented an RCE exploit chain for ImageMagick. He was able to run the exploit with the default settings from the Ubuntu repos. ImageMagick is used by several companies for image conversion on the web.

New proof-of-concept

Last weekend, Vietnamese security researcher Nguyen The Duc published his proof-of-concept code (see tweet) on GitHub, to exploit a 0-day vulnerability in GhostScript.  

GhostScript 9.5 0-day PoC

On GitHub, Nguyen The Duc writes that the PoC written in Python exploits a GhostScript 9.50 0-day. This 0-day exploit affects ImageMagick with the default settings from the Ubuntu repository (tested with ImageMagick's default settings on Ubuntu 20.04). Security researcher Will Dormann confirmed in a tweet, that the PoC works.

Will Doormann at GhostScript 0-day

In follow-up tweets, Doormann addresses the manipulated JPG graphic files to exploit the 0-day in ImageMagick. I found Rikmer Rikmer's tweet about workarounds to mitigate the vulnerability interesting.

Mitigation of 0-day GhostScript 9.5 RCE

There it refers to this nsfocusglobal.com security advisory, which summarizes the details of the vulnerabilities a bit. According to this post, developer Artifex released "Bug 701446: Avoid divide by zero in shading" in Ghostscript on August 28, 2019. Artifex announced the fix for the four -dSAFER sandbox bypass vulnerabilities (-dSAFER is a security sandbox used by Ghostscript to prevent unsafe PostScript operations).

Currently, the only option is to update GhostScript to newer versions. The Red Hat 7 and 8 distributions have already been updated to address these vulnerabilities. The article also describes a mitigation of the bug for systems that cannot be updated.

Artifex, the company behind the Ghostscript project, told The Record that the vulnerability had not been reported to the company as part of its vulnerability disclosure process. The company says it is "increasingly frustrated with security researchers who do not ethically disclose potentially serious vulnerabilities." It said it is currently working on a patch, which it hopes to release by the end of the week.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *