PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens...
Transcript of PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens...
![Page 1: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/1.jpg)
PostScript Undead:Pwning the web with a 35 year old language
Jens Müller, Vladislav Mladenov,Dennis Felsch, Jörg Schwenk
![Page 2: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/2.jpg)
• Passionate bounty hunter• Interests: IoT, web security• Likes mixing old tech and new tech
– Printer hacking– EFAIL attacks
About @jensvoid
2
![Page 3: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/3.jpg)
• Remember ImageTragick?
Today: PostScript in the web
CVE-2016–3714
3
![Page 4: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/4.jpg)
Today: PostScript in the web
3
Web App(/etc/passwd) (r) file
root:x:0:0:root:/root:/bin/shPS
• Similar attack surface• Impact: DoS, LFI, RCE• But much less known
![Page 5: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/5.jpg)
Today: PostScript in the web
3
Web App
PS
• Similar attack surface• Impact: DoS, LFI, RCE• But much less known
![Page 6: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/6.jpg)
1. Motivation
2. Attacking websites
3. Evaluation
4. Mitigations
Overview
4
![Page 7: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/7.jpg)
• Invented by Adobe (1982 – 1984)• Heavily used on laser printers
PostScript
5
![Page 8: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/8.jpg)
• Invented by Adobe (1982 – 1984)
PostScript
5
• Turing complete language
![Page 9: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/9.jpg)
%!PS
/Helvetica 100 selectfont
50 500 moveto
(Hello World) show
showpage
Hello World
Hello World
6
![Page 10: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/10.jpg)
Hello World
%!PS
/Helvetica 100 selectfont
50 500 moveto
product show
showpage
GPL Ghostscript
6
![Page 11: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/11.jpg)
Hello World
%!PS
/Helvetica 100 selectfont
50 500 moveto
product show
showpage
hp LaserJet 4250
6
![Page 12: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/12.jpg)
• CPU:• Memory:• Storage:
Denial-of-Service (DoS)
null (w) .tempfile
{dup 0 write} loop
{} loop
{65535 array} loop
7
![Page 13: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/13.jpg)
Information disclosure
%!PS
/Helvetica 100
selectfont
50 500 moveto
pop show
showpage
8
![Page 14: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/14.jpg)
Information disclosure
jens
%!PS
/Helvetica 100
selectfont
50 500 moveto
pop show
showpage
8
(USER) getenv
![Page 15: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/15.jpg)
• Read, write, delete, list, stat• Depending on Ghostscript version, this is somewhat restricted if -dSAFER is used
File system access
09
![Page 16: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/16.jpg)
• RCE by design w/o –dSAFER
Shell command execution
10
![Page 17: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/17.jpg)
• RCE by design w/o –dSAFER• Various -dSAFER bypasses
Shell command execution
10
![Page 18: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/18.jpg)
Content masking: example.pdf
11
![Page 19: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/19.jpg)
1. Motivation
2. Attacking websites
3. Evaluation
4. Mitigations
Overview
12
![Page 20: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/20.jpg)
• Who process PostScript on the web?– Conversion websites– Thumbnail preview
• PDF is more common these days– Can we embed PostScript in PDF?– Yes we can (four methods)
Attacking websites with PS/EPS/AI
13
![Page 21: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/21.jpg)
• What about `image only’ websites?• Vulnerable if ImageMagick used
– Has its own file format detection
Attacking websites with images
14
![Page 22: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/22.jpg)
$img->resize()
Chain of escalation
15
![Page 23: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/23.jpg)
$img->resize()
Imagick::resizeImage()
Chain of escalation
15
![Page 24: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/24.jpg)
$img->resize()
Imagick::resizeImage()
convert/libmagick++
Chain of escalation
15
![Page 25: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/25.jpg)
$img->resize()
Imagick::resizeImage()
convert/libmagick++
system('/usr/bin/gs')
Chain of escalation
15
![Page 26: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/26.jpg)
Chain of escalation
“Hey, I just wanted to resize an image...”15
![Page 27: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/27.jpg)
• Additional file type checks required
• How do web applications do it?
– File extension
– Content type
– Convert file
– File header
Attacking websites
?
GIF89a…
%PDF-1.2
%!PS
}≤1023 bytes
16
![Page 28: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/28.jpg)
Putting it all together
17
![Page 29: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/29.jpg)
1. Motivation
2. Attacking websites
3. Evaluation
4. Mitigations
Overview
18
![Page 30: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/30.jpg)
Evaluation: Conversion websites
19
![Page 31: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/31.jpg)
Evaluation: High value websites
RCE (no -dSAFER) RCE (-dSAFER bypass)
Telekom
GMX
Box.com
ZoHo
99Designs
Steam
Imgur
Shutterstock
Basecamp
Evernote
+ 2 Bitcoin Exchanges
20
LFI (+list)
Microsoft
![Page 32: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/32.jpg)
1. Motivation
2. Attacking websites
3. Evaluation
4. Mitigations
Overview
21
![Page 33: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/33.jpg)
• If not required, do not execute PostScript– Remove ImageMagick handlers (policy.xml)– PDF: Replace Ghostscript with Poppler
• If required, use additional sandboxing– chroot, firejail, seccomp, …
Countermeasures
22
![Page 34: PostScript Undead - OWASP · PostScript Undead: Pwning the web with a 35 year old language Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk](https://reader030.fdocuments.in/reader030/viewer/2022040605/5eaae22bd038d77f81302d08/html5/thumbnails/34.jpg)
• PostScript must die!
Conclusion
Thank you!Questions?
Ghostscript exploitation:http://bit.ly/gs-cheat-sheet