The Proof-of-concept (PoC) of an exploit was posted online over the weekend about a Ghostscript vulnerability that compromises all component-based servers.
The PoC was published by Vietnamese security researcher Nguyen The Duc in GitHub and has been confirmed to work by several leading security researchers.
Ghostscript was released in 1988 and is a small bookcase which allows applications to edit PDF documents and PostScript-based files.
Ghostscript is also used on the server side, and is usually included in conversion tools image and file editors such as the popular ImageMagick.
The PoC released by Nguyen allows an attacker to upload a malicious SVG file that is supposed to be used for image processing, but runs malicious code on the underlying OS system.
Nguyen may have been the one who publicly released PoC, but he did not discover the vulnerability.
It was discovered by Emil Lerner CTO and founder της Wunderfund, ο οποίος χρησιμοποίησε το σφάλμα πέρυσι για να κερδίσει bug bounties από εταιρείες όπως τις Airbnb, Dropbox και Yandex.
This is the second time the Ghostscript project has been in the news for security flaws. In August 2018, a Google security researcher made several critical discoveries vulnerabilities in the Ghostscript library which Artifex (the company that develops it) failed to fix in time. However, the company released corrections two days after the security vulnerabilities were made public.