Data exfiltration and code execution on pocket-image-cache.com via Ghostscript

RESOLVED FIXED

Status

RESOLVED FIXED
24 days ago
16 days ago

People

(Reporter: hanno, Assigned: digi)

Tracking

x86_64
Linux
Bug Flags:
sec-bounty +

Details

Attachments

(1 attachment)

(Reporter)

Description

24 days ago

Created attachment 9038482 [details]
postscript exploit

I reported this bug via Hackerone (report id #459637), but I was asked to report it here again:

The pocket-image-cache.com seems to fetch images from upstream servers and converts them via imagemagick to jpeg.

imagemagick autodetects the file format and will pass the file to ghostscript if it is detected as a postscript file. Ghostscript is well known for having plenty of security bypasses for it's "sandbox" (-DSAFER).
By using one of the security bypasses by Tavis Ormandy (see [1]) I was able to print out a file from the system into the outputted image. This can obviously be used to exfiltrate data from the server, but also to write files and escalate to code execution.

The relevant parts in the attached file are the lines starting at
/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def

The rest is just to have some valid ps file that would produce an output at all, I wasn't successful with a more simple ps file.

The example is attached, it's a postscript file renamed to .jpg (otherwise the image cache won't fetch it). Then fetching the file with
https://pocket-image-cache.com/direct?url=[url]&resize=w509-nc&f=t
will lead to a jpeg that includes content of /etc/passwd.

I strongly recommend that you disable postscript decoding in imagemagick via the policy.xml file as described here:
https://www.kb.cert.org/vuls/id/332928/

[1] https://www.openwall.com/lists/oss-security/2018/10/16/2

Impact

Attacker can read and write files on pocket-image-cache.com server and use that to gain remote code execution.

(Assignee)

Updated

24 days ago
Flags: sec-bounty?
(Assignee)

Comment 1

24 days ago

Confirmed through reporter's POC.

Assignee: nobody → bhourigan
Status: NEW → ASSIGNED
(Assignee)

Comment 2

23 days ago

A fix for this has been deployed to production. Ref: pocket/serverless-image-cache #19

NOTE: Previously tested POC URLs may still return the same image because of backend caching. Our TTL is about 30 days. Use a new filename and/or image size for testing.

(Reporter)

Comment 3

22 days ago

I can confirm that it looks fixed, I also retried with a new exploit that Tavis Ormandy just published [1]. (It allows trivial code execution even on the latest GS version.)

[1] https://www.openwall.com/lists/oss-security/2019/01/23/5

(Assignee)

Updated

19 days ago
Status: ASSIGNED → RESOLVED
Last Resolved: 19 days ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+
(Reporter)

Comment 4

16 days ago

Given this is fixed now can we make the bug report public?

(Assignee)

Updated

16 days ago
Group: pocket-security-sensitive
(Assignee)

Comment 5

16 days ago

This bug is now public.

You need to log in before you can comment on or make changes to this bug.