Data exfiltration and code execution on pocket-image-cache.com via Ghostscript

RESOLVED FIXED

Status

defect
RESOLVED FIXED
5 months ago
3 months ago

People

(Reporter: hanno, Assigned: digi)

Tracking

x86_64
Linux
Bug Flags:
sec-bounty +

Details

Attachments

(1 attachment)

Reporter

Description

5 months ago
Posted file postscript exploit

I reported this bug via Hackerone (report id #459637), but I was asked to report it here again:

The pocket-image-cache.com seems to fetch images from upstream servers and converts them via imagemagick to jpeg.

imagemagick autodetects the file format and will pass the file to ghostscript if it is detected as a postscript file. Ghostscript is well known for having plenty of security bypasses for it's "sandbox" (-DSAFER).
By using one of the security bypasses by Tavis Ormandy (see [1]) I was able to print out a file from the system into the outputted image. This can obviously be used to exfiltrate data from the server, but also to write files and escalate to code execution.

The relevant parts in the attached file are the lines starting at
/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def

The rest is just to have some valid ps file that would produce an output at all, I wasn't successful with a more simple ps file.

The example is attached, it's a postscript file renamed to .jpg (otherwise the image cache won't fetch it). Then fetching the file with
https://pocket-image-cache.com/direct?url=[url]&resize=w509-nc&f=t
will lead to a jpeg that includes content of /etc/passwd.

I strongly recommend that you disable postscript decoding in imagemagick via the policy.xml file as described here:
https://www.kb.cert.org/vuls/id/332928/

[1] https://www.openwall.com/lists/oss-security/2018/10/16/2

Impact

Attacker can read and write files on pocket-image-cache.com server and use that to gain remote code execution.

Assignee

Updated

5 months ago
Flags: sec-bounty?
Assignee

Comment 1

5 months ago

Confirmed through reporter's POC.

Assignee: nobody → bhourigan
Status: NEW → ASSIGNED
Assignee

Comment 2

5 months ago

A fix for this has been deployed to production. Ref: pocket/serverless-image-cache #19

NOTE: Previously tested POC URLs may still return the same image because of backend caching. Our TTL is about 30 days. Use a new filename and/or image size for testing.

Reporter

Comment 3

5 months ago

I can confirm that it looks fixed, I also retried with a new exploit that Tavis Ormandy just published [1]. (It allows trivial code execution even on the latest GS version.)

[1] https://www.openwall.com/lists/oss-security/2019/01/23/5

Assignee

Updated

5 months ago
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+
Reporter

Comment 4

5 months ago

Given this is fixed now can we make the bug report public?

Assignee

Updated

5 months ago
Group: pocket-security-sensitive
Assignee

Comment 5

5 months ago

This bug is now public.

Assignee

Updated

4 months ago
Duplicate of this bug: 1513068
You need to log in before you can comment on or make changes to this bug.