Hackers have released a proof-of-concept (PoC) that exploits a previously known vulnerability in Ghostscript, a commonly used server-side image conversion software package.
It was a security researcher Emil Lerner who in August, discovered an unpatched vulnerability in Ghostscript version 9.50 and demonstrated it at the ZeroNights X conference held in Saint Petersburg, Russia.
“Here’re slides from my talk at ZeroNights X! A 0-day for GhostScript 9.50, RCE exploit chain for ImageMagick with the default settings from Ubuntu repos and several bug bounty stories inside,” he posted on Twitter sharing slides with the demonstration. In reply to one comment asking, “Is this still a 0-day or is it now patched?” he said, “Not yet, but I think there’ll be one.”
He used the open-source, free file-conversion software ImageMagick to demonstrate the PoC on Ubuntu. In his talk, Lerner explained how he used his discovery to break into the systems of Yandex.Realty app, Airbnb, and Dropbox, and collected various bug bounties for that.
Each system requires a different set of techniques to hack into. For example, in the Airbnb attack, a server-side request forgery was used to execute memory dump and access AWS data.
The Dropbox attack was limited to a non-privileged account and allowed remote code execution (RCE) if the user had logged in as a non-privileged user.
The last exploit is a scalable vector graphic (SVG) to allow an attacker to execute arbitrary commands. It is imported, masked as an EPI file, and processed by Ghostscript that permits the threat actors to run those arbitrary codes.
A proof-of-concept Python script that targets the Ghostscript vulnerability was posted on GitHub last weekend.
According to the researcher, many websites use outdated Ghostscript software and are prone to exploitation. The latest version of Ghostscript is 9.54 released in March 2021.