Ghostscript zero-day allows full server compromises
Proof-of-concept exploit code was published online over the weekend for an unpatched Ghostscript vulnerability that puts all servers that rely on the component at risk of attacks.
Published by Vietnamese security researcher Nguyen The Duc, the proof-of-concept code is available on GitHub and was confirmed to work by several of today's leading security researchers.
This is indeed a thing. https://t.co/W3yVcUnTJz pic.twitter.com/mDEih91fRa
— Will Dormann (@wdormann) September 5, 2021
Released back in 1988, Ghostscript is a small library that allows applications to process PDF documents and PostScript-based files.
While its primary use is for desktop software, Ghostscript is also used server-side, where it is typically included with image conversion and file upload processing toolkits, such as the popular ImageMagick.
The proof-of-concept code released by Nguyen on Sunday exploits this latter scenario, allowing an attacker to upload a malformed SVG file that escapes the image processing pipeline and runs malicious code on the underlying operating system.
While Nguyen released the public exploit for this bug, he is not the one who discovered the vulnerability.
The person who did is Wunderfund CTO and founder Emil Lerner, who found the bug last year and used it to obtain bug bounties from companies like Airbnb, Dropbox, and Yandex.
Details about the vulnerability leaked into the public domain last month after Lerner held a talk at the ZeroNight X security conference about the current attack vector posed by server-side image conversion tools and used the Ghostscript zero-day as an example.
Here're slides from my talk at ZeroNights X! A 0-day for GhostScript 9.50, RCE exploit chain for ImageMagick with the default settings from Ubuntu repos and several bug bounty stories inside https://t.co/7JHotVa5DQ
— Emil Lerner (@emil_lerner) August 25, 2021
"Exploit seems to be correct," Lerner told The Record yesterday in a private conversation when asked about Nguyen's proof-of-concept.
The researcher told The Record that he was not aware of any patch for the Ghostscript vulnerability prior to Nguyen's release of the public exploit.
However, Artifex, the company behind the Ghostscript project, told The Record the vulnerability had not been reported to the company via its vulnerability disclosure process.
The company said they are "becoming increasingly frustrated with security researchers who fail to ethically disclose potentially serious security vulnerabilities" and that engineers are currently working on a patch they hope to have out by the end of the week.
The company did, however, release a patch on September 9, after this article went live. It also assigned the CVE-2021-3781 identifier to the vulnerability.
This is the second time the Ghostscript project is in the news because of security issues. In August 2018, a Google security researcher discovered multiple critical vulnerabilities in the Ghostscript library that Artifex failed to patch in time. The company did, however, release fixes two days later after the Ghostscript security issues were broadly exposed.
Article updated on September 8 with statement from Artifex, and again on September 10 with information on the patch.
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.