postscript undead
play

PostScript Undead: Pwning the web with a 35 year old language Jens - PowerPoint PPT Presentation

Sep 15, 2023 •478 likes •822 views

PostScript Undead: Pwning the web with a 35 year old language Jens Mller, Vladislav Mladenov, Dennis Felsch, Jrg Schwenk About @jensvoid Passionate bounty hunter Interests: IoT, web security Likes mixing old tech and new tech

  1. PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk

  2. About @jensvoid • Passionate bounty hunter • Interests: IoT, web security • Likes mixing old tech and new tech – Printer hacking – EFAIL attacks 2

  3. Today: PostScript in the web • Remember ImageTragick? CVE-2016 – 3714 3

  4. Today: PostScript in the web • Similar attack surface • Impact: DoS, LFI, RCE • But much less known Web App (/etc/passwd) (r) file root:x:0:0:root:/root:/bin/sh PS 3

  5. Today: PostScript in the web • Similar attack surface • Impact: DoS, LFI, RCE • But much less known Web App PS 3

  6. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 4

  7. PostScript • Invented by Adobe (1982 – 1984) • Heavily used on laser printers 5

  8. PostScript • Invented by Adobe (1982 – 1984) • Turing complete language 5

  9. Hello World %!PS /Helvetica 100 selectfont Hello World 50 500 moveto (Hello World) show showpage 6

  10. Hello World %!PS /Helvetica 100 selectfont GPL Ghostscript 50 500 moveto product show showpage 6

  11. Hello World %!PS /Helvetica 100 selectfont hp LaserJet 4250 50 500 moveto product show showpage 6

  12. Denial-of-Service (DoS) {} loop • CPU: • Memory: {65535 array} loop • Storage: null (w) .tempfile {dup 0 write} loop 7

  13. Information disclosure %!PS /Helvetica 100 selectfont 50 500 moveto pop show showpage 8

  14. Information disclosure %!PS /Helvetica 100 selectfont jens 50 500 moveto (USER) getenv pop show showpage 8

  15. File system access • Read, write, delete, list, stat • Depending on Ghostscript version, this is somewhat restricted if -dSAFER is used 09

  16. Shell command execution • RCE by design w/o – dSAFER 10

  17. Shell command execution • RCE by design w/o – dSAFER • Various -dSAFER bypasses 10

  18. Content masking: example.pdf 11

  19. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 12

  20. Attacking websites with PS/EPS/AI • Who process PostScript on the web? – Conversion websites – Thumbnail preview • PDF is more common these days – Can we embed PostScript in PDF? – Yes we can (four methods) 13

  21. Attacking websites with images • What about `image only’ websites? • Vulnerable if ImageMagick used – Has its own file format detection 14

  22. Chain of escalation $img->resize() 15

  23. Chain of escalation $img->resize() Imagick::resizeImage() 15

  24. Chain of escalation $img->resize() Imagick::resizeImage() convert/libmagick++ 15

  25. Chain of escalation $img->resize() Imagick::resizeImage() convert/libmagick++ system('/usr/bin/gs') 15

  26. Chain of escalation “Hey, I just wanted to resize an image...” 15

  27. Attacking websites • Additional file type checks required • How do web applications do it? – File extension } ≤ 1023 bytes GIF89a… – Content type %PDF-1.2 – Convert file %!PS ? – File header 16

  28. Putting it all together 17

  29. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 18

  30. Evaluation: Conversion websites 19

  31. Evaluation: High value websites RCE (no -dSAFER ) LFI (+list) RCE ( -dSAFER bypass) Microsoft Telekom Steam GMX Imgur Box.com Shutterstock ZoHo Basecamp 99Designs Evernote + 2 Bitcoin Exchanges 20

  32. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 21

  33. Countermeasures • If not required, do not execute PostScript – Remove ImageMagick handlers (policy.xml) – PDF: Replace Ghostscript with Poppler • If required, use additional sandboxing – chroot, firejail, seccomp, … 22

  34. Conclusion • PostScript must die! Ghostscript exploitation: http://bit.ly/gs-cheat-sheet Thank you! Questions?

Recommend

A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

REDRAIN & MIN(SPARK) ZHENG A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain min(spark) zheng Qihoo 360CERT CUHK PhD Alibaba Security Expert Low-level security researcher Pentester with interest in

818 views • 52 slides
Bullinger, Hort, Riplinger, and the Mystery of Romans 16 Introduction Today we want to

Bullinger, Hort, Riplinger, and the Mystery of Romans 16 Introduction Today we want to

Bullinger, Hort, Riplinger, and the Mystery of Romans 16 Introduction Today we want to consider EWBs Postscript Theory from the following angles: What is the Postscript Theory? How does Bullinger seek to justify the theory?

361 views • 8 slides
computers to personal computers Xerox does it all 1973: Xerox Alto GUI wysiwyg mouse ethernet

computers to personal computers Xerox does it all 1973: Xerox Alto GUI wysiwyg mouse ethernet

computers to personal computers Xerox does it all 1973: Xerox Alto GUI wysiwyg mouse ethernet laserprinter smalltalk, impress, postscript 1979 : Steve Jobs tours PARC 1981: Xerox Star breaking down the computer HofI PC - 3 through thick

362 views • 24 slides
Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei

Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei

Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei FIRMWARE.RE andrei# whoami SW/HW/Emb security researcher, PhD student Mifare Classic Hacking MFPs + MFCUK PostScript Avionics + ADS-B 1 DISCLAIMER

455 views • 34 slides
Book This Old Renovating Print Assets For Digital Publishing Mike Rankin The Topic

Book This Old Renovating Print Assets For Digital Publishing Mike Rankin The Topic

Slide Title Book This Old Renovating Print Assets For Digital Publishing Mike Rankin The Topic InDesign-centered workfmow to re-purpose legacy print content for digital publishing The Problems Page Layout is rooted in PostScript

855 views • 33 slides
Inside PDF Lecture @21C3 The Portable Document Format A Short Introduction Maik Musall

Inside PDF Lecture @21C3 The Portable Document Format A Short Introduction Maik Musall

Inside PDF Lecture @21C3 The Portable Document Format A Short Introduction Maik Musall <maik@musall.de> CCC Erlangen Overview History of PDF and it's relation to PostScript Licenses and legal issues File format syntax and

584 views • 17 slides
Images CS418 Computer Graphics John C. Hart Vector v. Raster Graphics Vector Graphics Raster

Images CS418 Computer Graphics John C. Hart Vector v. Raster Graphics Vector Graphics Raster

Images CS418 Computer Graphics John C. Hart Vector v. Raster Graphics Vector Graphics Raster Graphics Plotters, laser displays TVs, monitors, phones Clip art, illustrations Photographs PostScript, PDF, SVG

874 views • 8 slides

More recommend