Security Researcher @ducnt_ published Proof of Concept code (PoC) that exploits a known and unpatched vulnerability of Ghostscript first reported by @emil_lerner on servers employing the open source image processing toolkit Imagemagick. Ghostscript is a PDF-processing library supported by Artifex, often used for file uploading services by servers; Imagemagick is a widely used open source server-side solution that employs this library to process PDF uploads. Artifex has not yet commented on the release of this PoC; however, Emil Lerner had previously disclosed this vulnerability last year in compliance with responsible disclosure practices and made a public announcement last month at a security conference. The PoC allows for full server compromise including full administrative access and arbitrary remote code execution (RCE).
Analyst Notes
Artifex and Imagemagick have not yet commented on this vulnerability, and no advisory or patch have been published. The exploit works by uploading a crafted Scalable Vector Graphics (SVG) file that contains malicious code able to escape Imagemagick’s image processing. Detections can center around specific identification of these crafted files using the published PoC as a starting point. There are no known reports of this vulnerability being exploited in the wild although this situation could change quickly. Zero-day exploits and accompanying PoC in both open source and closed source are regularly reported, and represent a threat until patches are issued and applied – a robust threat hunting approach and MDR solution, such as Binary Defense’s offering, is a necessary component of a modern defense-in-depth strategy adapted to today’s threat environment.
https://therecord.media/ghostscript-zero-day-allows-full-server-compromises/
https://twitter.com/wdormann/status/1434567659476197382/photo/1
Here're slides from my talk at ZeroNights X! A 0-day for GhostScript 9.50, RCE exploit chain for ImageMagick with the default settings from Ubuntu repos and several bug bounty stories inside https://t.co/7JHotVa5DQ
— Emil Lerner (@emil_lerner) August 25, 2021