Closed Bug 1522079 Opened 1 year ago Closed 1 year ago

Data exfiltration and code execution on via Ghostscript


(Pocket ::, defect)

Not set


(Not tracked)



(Reporter: hanno, Assigned: digi)




(1 file)

Attached file postscript exploit

I reported this bug via Hackerone (report id #459637), but I was asked to report it here again:

The seems to fetch images from upstream servers and converts them via imagemagick to jpeg.

imagemagick autodetects the file format and will pass the file to ghostscript if it is detected as a postscript file. Ghostscript is well known for having plenty of security bypasses for it's "sandbox" (-DSAFER).
By using one of the security bypasses by Tavis Ormandy (see [1]) I was able to print out a file from the system into the outputted image. This can obviously be used to exfiltrate data from the server, but also to write files and escalate to code execution.

The relevant parts in the attached file are the lines starting at
/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def

The rest is just to have some valid ps file that would produce an output at all, I wasn't successful with a more simple ps file.

The example is attached, it's a postscript file renamed to .jpg (otherwise the image cache won't fetch it). Then fetching the file with[url]&resize=w509-nc&f=t
will lead to a jpeg that includes content of /etc/passwd.

I strongly recommend that you disable postscript decoding in imagemagick via the policy.xml file as described here:



Attacker can read and write files on server and use that to gain remote code execution.

Flags: sec-bounty?

Confirmed through reporter's POC.

Assignee: nobody → bhourigan

A fix for this has been deployed to production. Ref: pocket/serverless-image-cache #19

NOTE: Previously tested POC URLs may still return the same image because of backend caching. Our TTL is about 30 days. Use a new filename and/or image size for testing.

I can confirm that it looks fixed, I also retried with a new exploit that Tavis Ormandy just published [1]. (It allows trivial code execution even on the latest GS version.)


Closed: 1 year ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+

Given this is fixed now can we make the bug report public?

Group: pocket-security-sensitive

This bug is now public.

Duplicate of this bug: 1513068

Hey, Hanno? I just noticed that you didn't get credited for this on our hall of fame. How would you like to be credited, and where would you like us to link? Thanks!

You need to log in before you can comment on or make changes to this bug.