PoC released for Ghostscript vulnerability that exposed Airbnb, Dropbox
Server-side image conversion attack vector laid bare
Hackers have released proof-of-concept code that exploits a recently demonstrated vulnerability in older but still widely used versions of Ghostscript, the popular server-side image conversion software package.
Security researcher Emil Lerner demonstrated an unpatched vulnerability for Ghostscript version 9.50 at the ZeroNights X conference in Saint Petersburg, Russia last month.
The finding was demonstrated using ImageMagick, a free and open source cross-platform software for file conversion, on Ubuntu.
During his talk, Lerner explained how he was able to leverage his discovery to hack into the systems of Airbnb, Dropbox, and the Yandex.Realty app – collecting various bug bounties in the process.
There are a couple of different techniques at play. The Airbnb exploit, for example, uses server-side request forgery (SSRF) to cause a memory dump and steal AWS metadata.
The Dropbox attack led to remote code execution (RCE) but was limited to a non-privileged user, limiting its potency. Researchers escalated the scope of their exploit by causing Python to import their script when triggering an exception.
The last exploit uses SVG (scalable vector graphics) to import itself as an EPI file, which is processed by Ghostscript and allows an attacker to inject arbitrary commands.
A proof-of-concept Python script targeting the Ghostscipt vulnerability and using ImageMagick with the default settings from the popular Ubuntu Linux distribution was posted on GitHub last weekend.
The Daily Swig approached Lerner, the hacker who posted the proof-of-concept script, and Artifex, the developers and marketers of Ghostscript, for comment. This article will be updated when more information comes to hand.
The latest available version of Ghostscript is 9.54, released back in March 2021. The corpus of the research shows that Many websites run outdated software, leaving them open to exploitation as a result.
YOU MAY ALSO LIKE Raider: A tool to test authentication in web applications