Data exfiltration and code execution on pocket-image-cache.com via Ghostscript
Categories
(Pocket :: getpocket.com, defect)
Tracking
(Not tracked)
People
(Reporter: hanno, Assigned: digi)
References
Details
(Keywords: reporter-external, sec-high, wsec-deplib)
Attachments
(1 file)
8.10 KB,
application/zip
|
Details |
I reported this bug via Hackerone (report id #459637), but I was asked to report it here again:
The pocket-image-cache.com seems to fetch images from upstream servers and converts them via imagemagick to jpeg.
imagemagick autodetects the file format and will pass the file to ghostscript if it is detected as a postscript file. Ghostscript is well known for having plenty of security bypasses for it's "sandbox" (-DSAFER).
By using one of the security bypasses by Tavis Ormandy (see [1]) I was able to print out a file from the system into the outputted image. This can obviously be used to exfiltrate data from the server, but also to write files and escalate to code execution.
The relevant parts in the attached file are the lines starting at
/.forceput { <<>> <<>> 4 index (ignored) 5 index 5 index .policyprocs 1 get exec pop pop pop pop pop pop pop } def
The rest is just to have some valid ps file that would produce an output at all, I wasn't successful with a more simple ps file.
The example is attached, it's a postscript file renamed to .jpg (otherwise the image cache won't fetch it). Then fetching the file with
https://pocket-image-cache.com/direct?url=[url]&resize=w509-nc&f=t
will lead to a jpeg that includes content of /etc/passwd.
I strongly recommend that you disable postscript decoding in imagemagick via the policy.xml file as described here:
https://www.kb.cert.org/vuls/id/332928/
[1] https://www.openwall.com/lists/oss-security/2018/10/16/2
Impact
Attacker can read and write files on pocket-image-cache.com server and use that to gain remote code execution.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 1•6 years ago
|
||
Confirmed through reporter's POC.
Assignee | ||
Comment 2•6 years ago
|
||
A fix for this has been deployed to production. Ref: pocket/serverless-image-cache #19
NOTE: Previously tested POC URLs may still return the same image because of backend caching. Our TTL is about 30 days. Use a new filename and/or image size for testing.
Reporter | ||
Comment 3•6 years ago
|
||
I can confirm that it looks fixed, I also retried with a new exploit that Tavis Ormandy just published [1]. (It allows trivial code execution even on the latest GS version.)
[1] https://www.openwall.com/lists/oss-security/2019/01/23/5
Assignee | ||
Updated•6 years ago
|
Updated•6 years ago
|
Reporter | ||
Comment 4•6 years ago
|
||
Given this is fixed now can we make the bug report public?
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 5•6 years ago
|
||
This bug is now public.
Comment 7•6 years ago
|
||
Hey, Hanno? I just noticed that you didn't get credited for this on our hall of fame. How would you like to be credited, and where would you like us to link? Thanks!
Updated•3 years ago
|
Updated•9 months ago
|
Description
•