{"id":21283,"date":"2021-09-09T08:48:32","date_gmt":"2021-09-09T06:48:32","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=21283"},"modified":"2021-09-09T08:49:21","modified_gmt":"2021-09-09T06:49:21","slug":"ghostscript-0-day-schwachstelle-ermglicht-server-bernahme","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2021\/09\/09\/ghostscript-0-day-schwachstelle-ermglicht-server-bernahme\/","title":{"rendered":"GhostScript 0-day vulnerability allows server compromise"},"content":{"rendered":"<p><img decoding=\"async\" title=\"Sicherheit (Pexels, allgemeine Nutzung)\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" alt=\"Sicherheit (Pexels, allgemeine Nutzung)\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" width=\"200\" align=\"left\">[<a href=\"https:\/\/www.borncity.com\/blog\/2021\/09\/09\/ghostscript-0-day-schwachstelle-ermglicht-server-bernahme\/\" target=\"_blank\" rel=\"noopener\">German<\/a>]An unpatched vulnerability exists in GhostScript (up to v 9.50) that allows privilege escalation. Servers running the ImageMagick program are particularly at risk. These could be taken over by attackers. The vulnerability was discovered a year ago, but allegedly not reported to the developers. And now there is a proof-of-concept (PoC) to exploit the vulnerability via exploit. Since tools like ImageMagick use GhostScript internally and are used by many companies, admins should respond and update GhostScript<\/p>\n<p><!--more--><\/p>\n<h2>What is GhostScript?<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/02a0459fc3a849d790026f49bcf044ed\" width=\"1\" height=\"1\"><a href=\"https:\/\/en.wikipedia.org\/wiki\/Ghostscript\" target=\"_blank\" rel=\"noopener\">GhostScript<\/a> is a free interpreter of the PostScript page description language and the Portable Document Format (PDF). GhostScript provides a programming interface with functions to render and print PostScript and PDF content. The product runs on UNIX, Mac OS X, VMS, Windows, OS\/2 and Mac OS. <\/p>\n<p>GhostScript is integrated in many drivers or tools for outputting documents in PDF format. The free software package <a href=\"https:\/\/en.wikipedia.org\/wiki\/ImageMagick\" target=\"_blank\" rel=\"noopener\">ImageMagick<\/a> for creating and editing raster and vector graphics also relies on GhostScript. GhostScript is offered by Artifex on <a href=\"https:\/\/www.ghostscript.com\/\" target=\"_blank\" rel=\"noopener\">this website<\/a>.<\/p>\n<h2>0-day vulnerability and exploit <\/h2>\n<p>I already became aware of the <a href=\"https:\/\/therecord.media\/ghostscript-zero-day-allows-full-server-compromises\/\" target=\"_blank\" rel=\"noopener\">issue<\/a> yesterday via the following <a href=\"https:\/\/twitter.com\/campuscodi\/status\/1435252893695758338\" target=\"_blank\" rel=\"noopener\">tweet<\/a> from Catalin Cimpanu. The background is that a proof-of-concept for exploiting the vulnerability was published recently. <\/p>\n<p><a href=\"https:\/\/twitter.com\/campuscodi\/status\/1435252893695758338\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"GhostScript 0-day\" alt=\"GhostScript 0-day\" src=\"https:\/\/i.imgur.com\/hRaNiwN.png\"><\/a><\/p>\n<h3>0-day RCE vulnerability in GhostScript 9.50<\/h3>\n<p>The discovery of an unpatched remote code execution (RCE) vulnerability in GhostScript 9.50 was made by Emil Lerner, founder and CTO of Wunderfund. The latter discovered the vulnerability in late 2020 and used that knowledge to collect bug bounties from companies such as Airbnb, Dropbox and Yandex. However, it appears that Lerner did not report the vulnerability to Artifex, the developer of GhostScript.<\/p>\n<p><img decoding=\"async\" title=\"ZeroNights X  talk about GhostScirpt 9.50 RCE\" alt=\"ZeroNights X  talk about GhostScirpt 9.50 RCE\" src=\"https:\/\/i.imgur.com\/T5gyNdB.png\"><\/p>\n<p>In the above <a href=\"https:\/\/twitter.com\/emil_lerner\/status\/1430502815181463559\" target=\"_blank\" rel=\"noopener\">tweet<\/a>, Learner shares his presentation slides from his talk at ZeroNights X! There he goes into detail about a 0-day vulnerability in GhostScript 9.50, where he presented an RCE exploit chain for ImageMagick. He was able to run the exploit with the default settings from the Ubuntu repos. ImageMagick is used by several companies for image conversion on the web.<\/p>\n<h3>New proof-of-concept<\/h3>\n<p>Last weekend, Vietnamese security researcher Nguyen The Duc published his proof-of-concept code (see <a href=\"https:\/\/twitter.com\/ducnt_\/status\/1434534373416574983\" target=\"_blank\" rel=\"noopener\">tweet<\/a>) on <a href=\"https:\/\/github.com\/duc-nt\/RCE-0-day-for-GhostScript-9.50\" target=\"_blank\" rel=\"noopener\">GitHub<\/a>, to exploit a 0-day vulnerability in GhostScript.&nbsp;&nbsp; <\/p>\n<p><a href=\"https:\/\/twitter.com\/ducnt_\/status\/1434534373416574983\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"GhostScript 9.5 0-day PoC\" alt=\"GhostScript 9.5 0-day PoC\" src=\"https:\/\/i.imgur.com\/34b6eYR.png\"><\/a><\/p>\n<p>On GitHub, Nguyen The Duc writes that the PoC written in Python exploits a GhostScript 9.50 0-day. This 0-day exploit affects ImageMagick with the default settings from the Ubuntu repository (tested with ImageMagick's default settings on Ubuntu 20.04). Security researcher Will Dormann confirmed in a <a href=\"https:\/\/twitter.com\/wdormann\/status\/1434567659476197382\" target=\"_blank\" rel=\"noopener\">tweet<\/a>, that the PoC works.<\/p>\n<p><a href=\"https:\/\/twitter.com\/wdormann\/status\/1434567659476197382\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Will Doormann at GhostScript 0-day\" alt=\"Will Doormann at GhostScript 0-day\" src=\"https:\/\/i.imgur.com\/ThVzqXH.png\"><\/a><\/p>\n<p>In follow-up tweets, Doormann addresses the manipulated JPG graphic files to exploit the 0-day in ImageMagick. I found Rikmer Rikmer's <a href=\"https:\/\/twitter.com\/rikmerremkir\/status\/1435600812231757824\" target=\"_blank\" rel=\"noopener\">tweet<\/a> about workarounds to mitigate the vulnerability interesting.<\/p>\n<p><a href=\"https:\/\/twitter.com\/rikmerremkir\/status\/1435600812231757824\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" title=\"Mitigation of 0-day GhostScript 9.5 RCE\" alt=\"Mitigation of 0-day GhostScript 9.5 RCE\" src=\"https:\/\/i.imgur.com\/pdIbzDM.png\"><\/a><\/p>\n<p>There it refers to <a href=\"https:\/\/nsfocusglobal.com\/ghostscript-dsafer-multiple-sandbox-bypass-vulnerabilities-threat-alert\/\" target=\"_blank\" rel=\"noopener\">this nsfocusglobal.com security advisory<\/a>, which summarizes the details of the vulnerabilities a bit. According to this post, developer Artifex released \"Bug 701446: Avoid divide by zero in shading\" in Ghostscript on August 28, 2019. Artifex announced the fix for the four -dSAFER sandbox bypass vulnerabilities (-dSAFER is a security sandbox used by Ghostscript to prevent unsafe PostScript operations). <\/p>\n<p>Currently, the only option is to update GhostScript to newer versions. The Red Hat 7 and 8 distributions have already been updated to address these vulnerabilities. The article also describes a mitigation of the bug for systems that cannot be updated.<\/p>\n<p>Artifex, the company behind the Ghostscript project, told The Record that the vulnerability had not been reported to the company as part of its vulnerability disclosure process. The company says it is \"increasingly frustrated with security researchers who do not ethically disclose potentially serious vulnerabilities.\" It said it is currently working on a patch, which it hopes to release by the end of the week.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]An unpatched vulnerability exists in GhostScript (up to v 9.50) that allows privilege escalation. Servers running the ImageMagick program are particularly at risk. These could be taken over by attackers. The vulnerability was discovered a year ago, but allegedly not &hellip; <a href=\"https:\/\/borncity.com\/win\/2021\/09\/09\/ghostscript-0-day-schwachstelle-ermglicht-server-bernahme\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580],"tags":[69,1544],"class_list":["post-21283","post","type-post","status-publish","format-standard","hentry","category-security","tag-security","tag-software"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21283","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=21283"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/21283\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=21283"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=21283"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=21283"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}