postscript undead
play

PostScript Undead: Pwning the web with a 35 year old language Jens - PowerPoint PPT Presentation

PostScript Undead: Pwning the web with a 35 year old language Jens Mller, Vladislav Mladenov, Dennis Felsch, Jrg Schwenk About @jensvoid Passionate bounty hunter Interests: IoT, web security Likes mixing old tech and new tech


  1. PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk

  2. About @jensvoid • Passionate bounty hunter • Interests: IoT, web security • Likes mixing old tech and new tech – Printer hacking – EFAIL attacks 2

  3. Today: PostScript in the web • Remember ImageTragick? CVE-2016 – 3714 3

  4. Today: PostScript in the web • Similar attack surface • Impact: DoS, LFI, RCE • But much less known Web App (/etc/passwd) (r) file root:x:0:0:root:/root:/bin/sh PS 3

  5. Today: PostScript in the web • Similar attack surface • Impact: DoS, LFI, RCE • But much less known Web App PS 3

  6. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 4

  7. PostScript • Invented by Adobe (1982 – 1984) • Heavily used on laser printers 5

  8. PostScript • Invented by Adobe (1982 – 1984) • Turing complete language 5

  9. Hello World %!PS /Helvetica 100 selectfont Hello World 50 500 moveto (Hello World) show showpage 6

  10. Hello World %!PS /Helvetica 100 selectfont GPL Ghostscript 50 500 moveto product show showpage 6

  11. Hello World %!PS /Helvetica 100 selectfont hp LaserJet 4250 50 500 moveto product show showpage 6

  12. Denial-of-Service (DoS) {} loop • CPU: • Memory: {65535 array} loop • Storage: null (w) .tempfile {dup 0 write} loop 7

  13. Information disclosure %!PS /Helvetica 100 selectfont 50 500 moveto pop show showpage 8

  14. Information disclosure %!PS /Helvetica 100 selectfont jens 50 500 moveto (USER) getenv pop show showpage 8

  15. File system access • Read, write, delete, list, stat • Depending on Ghostscript version, this is somewhat restricted if -dSAFER is used 09

  16. Shell command execution • RCE by design w/o – dSAFER 10

  17. Shell command execution • RCE by design w/o – dSAFER • Various -dSAFER bypasses 10

  18. Content masking: example.pdf 11

  19. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 12

  20. Attacking websites with PS/EPS/AI • Who process PostScript on the web? – Conversion websites – Thumbnail preview • PDF is more common these days – Can we embed PostScript in PDF? – Yes we can (four methods) 13

  21. Attacking websites with images • What about `image only’ websites? • Vulnerable if ImageMagick used – Has its own file format detection 14

  22. Chain of escalation $img->resize() 15

  23. Chain of escalation $img->resize() Imagick::resizeImage() 15

  24. Chain of escalation $img->resize() Imagick::resizeImage() convert/libmagick++ 15

  25. Chain of escalation $img->resize() Imagick::resizeImage() convert/libmagick++ system('/usr/bin/gs') 15

  26. Chain of escalation “Hey, I just wanted to resize an image...” 15

  27. Attacking websites • Additional file type checks required • How do web applications do it? – File extension } ≤ 1023 bytes GIF89a… – Content type %PDF-1.2 – Convert file %!PS ? – File header 16

  28. Putting it all together 17

  29. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 18

  30. Evaluation: Conversion websites 19

  31. Evaluation: High value websites RCE (no -dSAFER ) LFI (+list) RCE ( -dSAFER bypass) Microsoft Telekom Steam GMX Imgur Box.com Shutterstock ZoHo Basecamp 99Designs Evernote + 2 Bitcoin Exchanges 20

  32. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 21

  33. Countermeasures • If not required, do not execute PostScript – Remove ImageMagick handlers (policy.xml) – PDF: Replace Ghostscript with Poppler • If required, use additional sandboxing – chroot, firejail, seccomp, … 22

  34. Conclusion • PostScript must die! Ghostscript exploitation: http://bit.ly/gs-cheat-sheet Thank you! Questions?

Recommend


More recommend