They found a vulnerability in Ghostscript that was exploited through ImageMagick

Recently the news broke that identified a critical vulnerability (which is already cataloged as CVE-2021-3781) in Ghostscript (a set of tools for processing, converting and generating documents in PostScript and PDF formats) that allows to execute arbitrary code when processing a specially formatted file.

Initially, Emil Lerner pointed out that there was a problem and who was also the one who spoke about vulnerability on August 25or at the last Saint Petersburg ZeroNights X conference (In the report showed how Emile within the bug bounty program to use the vulnerability to get rewards for demonstration attacks on AirBNB, Dropbox and Yandex.Realty services).

On September 5, a functional exploit appeared public domain that allows attacking Ubuntu 20.04 systems by transferring a web script that runs on the server using the php-imagemagick package, a specially crafted document loaded under the guise of an image.

We have a solution in testing right now.

Since this exploit has apparently been circulating since March and is fully public since at least August 25 (so much for responsible disclosure!), I am inclined to post the fix publicly as soon as we have completed testing and review.

Although on the other hand, it is also mentioned that according to preliminary data, such an exploit has been used since March and it was announced that can attack systems running GhostScript 9.50, but it has been revealed that the vulnerability has continued in all subsequent versions of GhostScript, including Git development version 9.55.

A correction was subsequently proposed on September 8 and after peer review it was accepted into the GhostScript repository on September 9th.

As I mentioned earlier, since the exploit has been "in the wild" for at least 6 months, I have already submitted the patch to our public repository; keeping the patch a secret in this circumstance seemed useless.

I'll make this bug public before close of business (UK) on Friday, again, unless there are strong and compelling arguments not to do so (you can still link to it, making it public will not change the URL).

The problem is due to the ability to bypass the isolation mode "-dSAFER" due to insufficient validation of the PostScript device parameters "% pipe%", which allowed to execute arbitrary shell commands.

For example, to run the identification utility on a document, you only need to specify the string "(% pipe% / tmp / & id) (w) file" or "(% pipe% / tmp /; id) (r) file ».

As a reminder, the vulnerabilities in Ghostscript are more serious, since this package is used in many applications popular for processing PostScript and PDF formats. For example, Ghostscript is called when creating thumbnails on the desktop, when indexing data in the background, and when converting images. For a successful attack, in many cases, it is enough to download the exploit file or browse the directory with it in a file manager that supports the display of document thumbnails, for example in Nautilus.

Vulnerabilities in Ghostscript can also be exploited via image controllers based on the ImageMagick and GraphicsMagick packages, passing a JPEG or PNG file, which contains PostScript code instead of an image (this file will be processed in Ghostscript, since the MIME type is recognized by the content, and without depending on the extension).

As a workaround to protect against exploiting the vulnerability through the automatic thumbnail generator in GNOME and ImageMagick, it is recommended to disable the evince-thumbnailer call in /usr/share/thumbnailers/evince.thumbnailer and disable the rendering of PS, EPS, PDF and XPS formats in ImageMagick,

Finally It is mentioned that in many distributions the problem is still not fixed (The status of the release of updates can be seen on the pages of Debian, Ubuntu, Fedora, SUSE, RHEL, Arch Linux, FreeBSD, NetBSD).

It is also mentioned that the release of GhostScript with the elimination of the vulnerability is scheduled to be published before the end of the month. If you want to know more about it, you can check the details in the following link


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.