PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk
About @jensvoid • Passionate bounty hunter • Interests: IoT, web security • Likes mixing old tech and new tech – Printer hacking – EFAIL attacks 2
Today: PostScript in the web • Remember ImageTragick? CVE-2016 – 3714 3
Today: PostScript in the web • Similar attack surface • Impact: DoS, LFI, RCE • But much less known Web App (/etc/passwd) (r) file root:x:0:0:root:/root:/bin/sh PS 3
Today: PostScript in the web • Similar attack surface • Impact: DoS, LFI, RCE • But much less known Web App PS 3
Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 4
PostScript • Invented by Adobe (1982 – 1984) • Heavily used on laser printers 5
PostScript • Invented by Adobe (1982 – 1984) • Turing complete language 5
Hello World %!PS /Helvetica 100 selectfont Hello World 50 500 moveto (Hello World) show showpage 6
Hello World %!PS /Helvetica 100 selectfont GPL Ghostscript 50 500 moveto product show showpage 6
Hello World %!PS /Helvetica 100 selectfont hp LaserJet 4250 50 500 moveto product show showpage 6
Denial-of-Service (DoS) {} loop • CPU: • Memory: {65535 array} loop • Storage: null (w) .tempfile {dup 0 write} loop 7
Information disclosure %!PS /Helvetica 100 selectfont 50 500 moveto pop show showpage 8
Information disclosure %!PS /Helvetica 100 selectfont jens 50 500 moveto (USER) getenv pop show showpage 8
File system access • Read, write, delete, list, stat • Depending on Ghostscript version, this is somewhat restricted if -dSAFER is used 09
Shell command execution • RCE by design w/o – dSAFER 10
Shell command execution • RCE by design w/o – dSAFER • Various -dSAFER bypasses 10
Content masking: example.pdf 11
Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 12
Attacking websites with PS/EPS/AI • Who process PostScript on the web? – Conversion websites – Thumbnail preview • PDF is more common these days – Can we embed PostScript in PDF? – Yes we can (four methods) 13
Attacking websites with images • What about `image only’ websites? • Vulnerable if ImageMagick used – Has its own file format detection 14
Chain of escalation $img->resize() 15
Chain of escalation $img->resize() Imagick::resizeImage() 15
Chain of escalation $img->resize() Imagick::resizeImage() convert/libmagick++ 15
Chain of escalation $img->resize() Imagick::resizeImage() convert/libmagick++ system('/usr/bin/gs') 15
Chain of escalation “Hey, I just wanted to resize an image...” 15
Attacking websites • Additional file type checks required • How do web applications do it? – File extension } ≤ 1023 bytes GIF89a… – Content type %PDF-1.2 – Convert file %!PS ? – File header 16
Putting it all together 17
Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 18
Evaluation: Conversion websites 19
Evaluation: High value websites RCE (no -dSAFER ) LFI (+list) RCE ( -dSAFER bypass) Microsoft Telekom Steam GMX Imgur Box.com Shutterstock ZoHo Basecamp 99Designs Evernote + 2 Bitcoin Exchanges 20
Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 21
Countermeasures • If not required, do not execute PostScript – Remove ImageMagick handlers (policy.xml) – PDF: Replace Ghostscript with Poppler • If required, use additional sandboxing – chroot, firejail, seccomp, … 22
Conclusion • PostScript must die! Ghostscript exploitation: http://bit.ly/gs-cheat-sheet Thank you! Questions?
Recommend
More recommend