postscript undead
play

PostScript Undead: Pwning the web with a 35 year old language Jens - PowerPoint PPT Presentation

Sep 15, 2023 •478 likes •822 views

PostScript Undead: Pwning the web with a 35 year old language Jens Mller, Vladislav Mladenov, Dennis Felsch, Jrg Schwenk About @jensvoid Passionate bounty hunter Interests: IoT, web security Likes mixing old tech and new tech

  1. PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk

  2. About @jensvoid • Passionate bounty hunter • Interests: IoT, web security • Likes mixing old tech and new tech – Printer hacking – EFAIL attacks 2

  3. Today: PostScript in the web • Remember ImageTragick? CVE-2016 – 3714 3

  4. Today: PostScript in the web • Similar attack surface • Impact: DoS, LFI, RCE • But much less known Web App (/etc/passwd) (r) file root:x:0:0:root:/root:/bin/sh PS 3

  5. Today: PostScript in the web • Similar attack surface • Impact: DoS, LFI, RCE • But much less known Web App PS 3

  6. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 4

  7. PostScript • Invented by Adobe (1982 – 1984) • Heavily used on laser printers 5

  8. PostScript • Invented by Adobe (1982 – 1984) • Turing complete language 5

  9. Hello World %!PS /Helvetica 100 selectfont Hello World 50 500 moveto (Hello World) show showpage 6

  10. Hello World %!PS /Helvetica 100 selectfont GPL Ghostscript 50 500 moveto product show showpage 6

  11. Hello World %!PS /Helvetica 100 selectfont hp LaserJet 4250 50 500 moveto product show showpage 6

  12. Denial-of-Service (DoS) {} loop • CPU: • Memory: {65535 array} loop • Storage: null (w) .tempfile {dup 0 write} loop 7

  13. Information disclosure %!PS /Helvetica 100 selectfont 50 500 moveto pop show showpage 8

  14. Information disclosure %!PS /Helvetica 100 selectfont jens 50 500 moveto (USER) getenv pop show showpage 8

  15. File system access • Read, write, delete, list, stat • Depending on Ghostscript version, this is somewhat restricted if -dSAFER is used 09

  16. Shell command execution • RCE by design w/o – dSAFER 10

  17. Shell command execution • RCE by design w/o – dSAFER • Various -dSAFER bypasses 10

  18. Content masking: example.pdf 11

  19. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 12

  20. Attacking websites with PS/EPS/AI • Who process PostScript on the web? – Conversion websites – Thumbnail preview • PDF is more common these days – Can we embed PostScript in PDF? – Yes we can (four methods) 13

  21. Attacking websites with images • What about `image only’ websites? • Vulnerable if ImageMagick used – Has its own file format detection 14

  22. Chain of escalation $img->resize() 15

  23. Chain of escalation $img->resize() Imagick::resizeImage() 15

  24. Chain of escalation $img->resize() Imagick::resizeImage() convert/libmagick++ 15

  25. Chain of escalation $img->resize() Imagick::resizeImage() convert/libmagick++ system('/usr/bin/gs') 15

  26. Chain of escalation “Hey, I just wanted to resize an image...” 15

  27. Attacking websites • Additional file type checks required • How do web applications do it? – File extension } ≤ 1023 bytes GIF89a… – Content type %PDF-1.2 – Convert file %!PS ? – File header 16

  28. Putting it all together 17

  29. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 18

  30. Evaluation: Conversion websites 19

  31. Evaluation: High value websites RCE (no -dSAFER ) LFI (+list) RCE ( -dSAFER bypass) Microsoft Telekom Steam GMX Imgur Box.com Shutterstock ZoHo Basecamp 99Designs Evernote + 2 Bitcoin Exchanges 20

  32. Overview 1. Motivation 2. Attacking websites 3. Evaluation 4. Mitigations 21

  33. Countermeasures • If not required, do not execute PostScript – Remove ImageMagick handlers (policy.xml) – PDF: Replace Ghostscript with Poppler • If required, use additional sandboxing – chroot, firejail, seccomp, … 22

  34. Conclusion • PostScript must die! Ghostscript exploitation: http://bit.ly/gs-cheat-sheet Thank you! Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain

REDRAIN & MIN(SPARK) ZHENG A GHOST FROM POSTSCRIPT for RUXCON 2017 A GHOST FROM POSTSCRIPT WHO ARE WE redrain min(spark) zheng Qihoo 360CERT CUHK PhD Alibaba Security Expert Low-level security researcher Pentester with interest in

818 views • 52 slides
Bullinger, Hort, Riplinger, and the Mystery of Romans 16 Introduction Today we want to

Bullinger, Hort, Riplinger, and the Mystery of Romans 16 Introduction Today we want to

Bullinger, Hort, Riplinger, and the Mystery of Romans 16 Introduction Today we want to consider EWBs Postscript Theory from the following angles: What is the Postscript Theory? How does Bullinger seek to justify the theory?

361 views • 8 slides
computers to personal computers Xerox does it all 1973: Xerox Alto GUI wysiwyg mouse ethernet

computers to personal computers Xerox does it all 1973: Xerox Alto GUI wysiwyg mouse ethernet

computers to personal computers Xerox does it all 1973: Xerox Alto GUI wysiwyg mouse ethernet laserprinter smalltalk, impress, postscript 1979 : Steve Jobs tours PARC 1981: Xerox Star breaking down the computer HofI PC - 3 through thick

362 views • 24 slides
Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei

Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei

Poor Mans Panopticon Mass CCTV Surveillance for the masses Andrei Costin @costinandrei FIRMWARE.RE andrei# whoami SW/HW/Emb security researcher, PhD student Mifare Classic Hacking MFPs + MFCUK PostScript Avionics + ADS-B 1 DISCLAIMER

455 views • 34 slides
Book This Old Renovating Print Assets For Digital Publishing Mike Rankin The Topic

Book This Old Renovating Print Assets For Digital Publishing Mike Rankin The Topic

Slide Title Book This Old Renovating Print Assets For Digital Publishing Mike Rankin The Topic InDesign-centered workfmow to re-purpose legacy print content for digital publishing The Problems Page Layout is rooted in PostScript

855 views • 33 slides
Inside PDF Lecture @21C3 The Portable Document Format A Short Introduction Maik Musall

Inside PDF Lecture @21C3 The Portable Document Format A Short Introduction Maik Musall

Inside PDF Lecture @21C3 The Portable Document Format A Short Introduction Maik Musall <maik@musall.de> CCC Erlangen Overview History of PDF and it's relation to PostScript Licenses and legal issues File format syntax and

584 views • 17 slides
Images CS418 Computer Graphics John C. Hart Vector v. Raster Graphics Vector Graphics Raster

Images CS418 Computer Graphics John C. Hart Vector v. Raster Graphics Vector Graphics Raster

Images CS418 Computer Graphics John C. Hart Vector v. Raster Graphics Vector Graphics Raster Graphics Plotters, laser displays TVs, monitors, phones Clip art, illustrations Photographs PostScript, PDF, SVG

874 views • 8 slides
1 Collaboration method was determined and controlled by each ASHRAE group: committee, council,

1 Collaboration method was determined and controlled by each ASHRAE group: committee, council,

1 Collaboration method was determined and controlled by each ASHRAE group: committee, council, region, chapter, TC. If you belong to more than one group you would need to understand the preferred method for each group. 2 Email become the

680 views • 47 slides
by 28 Octobre 2016 Gif sur Yvette

by 28 Octobre 2016 Gif sur Yvette

by 28 Octobre 2016 Gif sur Yvette Disassemble Analyse Traitement 1 Traitement 2 Disassemble ... Traitement 1: Extraction sections delimited by blocks

519 views • 30 slides
CSE 510 Web Data Engineering XML, XHTML, XSLT and Web Application Programming Evolving as We

CSE 510 Web Data Engineering XML, XHTML, XSLT and Web Application Programming Evolving as We

CSE 510 Web Data Engineering XML, XHTML, XSLT and Web Application Programming Evolving as We Speak UB CSE 510 Web Data Engineering XML-based Model 2 (MVC) Architecture of Today View: XSLT-based presentation XML/XML Schema-defined

436 views • 28 slides
A Layered Naming Architecture Michael Walfish MIT Computer Science and Artificial Intelligence

A Layered Naming Architecture Michael Walfish MIT Computer Science and Artificial Intelligence

A Layered Naming Architecture Michael Walfish MIT Computer Science and Artificial Intelligence Lab Joint work with: H. Balakrishnan, M. Krohn, K. Lakshminarayanan, S. Ratnasamy, S. Shenker, I. Stoica, J. Stribling IRTF HIP RG 6 August 2004

728 views • 10 slides
Computer Vision Introduction Historical context Connections to other disciplines Vision and

Computer Vision Introduction Historical context Connections to other disciplines Vision and

Computer Vision Introduction Historical context Connections to other disciplines Vision and Graphics Dual aspect of vision: analysis and synthesis Applications of computer vision Applications of computer vision Historical context Machine

630 views • 45 slides
UX Design Margus Luik http://www.uxmatters.com/mt/archives/2007/11/images/FiveCompetencies.pdf

UX Design Margus Luik http://www.uxmatters.com/mt/archives/2007/11/images/FiveCompetencies.pdf

UX Design Margus Luik http://www.uxmatters.com/mt/archives/2007/11/images/FiveCompetencies.pdf Information Architecture Business level analyzes UI structure analyzes http://www.uxmatters.com/mt/archives/2007/11/images/infoArch.gif

691 views • 33 slides
Set 7: Events and Animation Animation and Events Animation attention, explanation

Set 7: Events and Animation Animation and Events Animation attention, explanation

IT452 Advanced Web and Internet Systems Set 7: Events and Animation Animation and Events Animation attention, explanation Capturing user events Education and games We will use jQuery to make coding easier 1 Preliminaries

451 views • 10 slides
CSSE 220 Sorting Algorithms Algorithm Analysis and Big-O Searching Checkout SortingAndSearching

CSSE 220 Sorting Algorithms Algorithm Analysis and Big-O Searching Checkout SortingAndSearching

CSSE 220 Sorting Algorithms Algorithm Analysis and Big-O Searching Checkout SortingAndSearching project from SVN Project Reminders Graders should be first contact, not me Tomorrow will include time to work on project Final

455 views • 19 slides
beautiful textures: patterns, tiles & formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles & formats creating seamless patterns on the example of a

beautiful textures: patterns, tiles & formats creating seamless patterns on the example of a custom 404 page, with a look at suitable file formats for online use Prisca Schmarsow :: eyelearn.org Steps covered 1. file organisation 2.

722 views • 25 slides
Image Classification for Mobile Web Browsing Takuya Maekawa*, Takahiro Hara**, Shojiro Nishio**

Image Classification for Mobile Web Browsing Takuya Maekawa*, Takahiro Hara**, Shojiro Nishio**

Image Classification for Mobile Web Browsing Takuya Maekawa*, Takahiro Hara**, Shojiro Nishio** NTT* Osaka Univ.** International World Wide Web Conference 2006 1 Background Many commercial products and research studies focus on how to

1.04k views • 38 slides
Output models Drawing

Output models Drawing

Output models Drawing Rasterization Color models Fall 2004 6.831 UI Design and Implementation 1 Fall 2004 6.831

312 views • 5 slides
Pulsating Stars & Spectrocopy Denis GILLET Directeur de recherche au CNRS Observatoire de

Pulsating Stars & Spectrocopy Denis GILLET Directeur de recherche au CNRS Observatoire de

Pulsating Stars & Spectrocopy Denis GILLET Directeur de recherche au CNRS Observatoire de Haute Provence denis.gillet@oamp.fr An outstanding laboratory Our Galaxy: 100 billion stars about a star The Sun on 100,000 is pulsating

911 views • 67 slides
Data Visualization Principles: Other Perceptual Channels CSC544 Acknowledgments for todays

Data Visualization Principles: Other Perceptual Channels CSC544 Acknowledgments for todays

Data Visualization Principles: Other Perceptual Channels CSC544 Acknowledgments for todays lecture: Tamara Munzner, Miriah Meyer, Colin Ware, Christopher Healey There exist stimuli other than colors So what is data visualization? The art

732 views • 52 slides
In-class Presentations Another skill to learn Like designing game, coding, art A

In-class Presentations Another skill to learn Like designing game, coding, art A

3/24/2017 Why Give a Presentation? People fear public speaking IMGD 2905 But you will speak For class, job interviews, work, In-class Presentations Another skill to learn Like designing game, coding, art A critical

255 views • 3 slides
Java Swing GUI Programming 4 Learning Objectives New UI components File chooser, Text

Java Swing GUI Programming 4 Learning Objectives New UI components File chooser, Text

Java Swing GUI Programming 4 Learning Objectives New UI components File chooser, Text area, Color chooser, Slider, Combo box (menu) Tooltips and short-cuts Mouse events Dynamic drawing Key events Timer events and

824 views • 34 slides
everything you ever wanted to know about missjessicatate jessicatate What is a jpg? Joint

everything you ever wanted to know about missjessicatate jessicatate What is a jpg? Joint

everything you ever wanted to know about missjessicatate jessicatate What is a jpg? Joint Photographic Experts Group When do you use a jpg? Lossy Compression. What is a png? Portable Network Graphics Two common types of pngs PNG-8

582 views • 34 slides
ECE 6504: Deep Learning for Perception Topics: (Finish) Backprop Convolutional Neural

ECE 6504: Deep Learning for Perception Topics: (Finish) Backprop Convolutional Neural

ECE 6504: Deep Learning for Perception Topics: (Finish) Backprop Convolutional Neural Nets Dhruv Batra Virginia Tech Administrativia Presentation Assignments https://docs.google.com/spreadsheets/d/

924 views • 67 slides

More recommend