The Proof-of-concept (PoC) of an exploit was posted online over the weekend about a Ghostscript vulnerability that compromises all component-based servers.
The PoC was published by Vietnamese security researcher Nguyen The Duc in GitHub and has been confirmed to work by several leading security researchers.
Released in 1988, Ghostscript is a small library that allows applications to edit PDF documents and archives based on PostScript.
Ghostscript is also used by the server, and is usually included in image conversion and file editing tools, such as the popular ImageMagick.
The PoC released by Nguyen allows an attacker to upload one malicious SVG file that is supposed to go to image processing, but runs malicious code on the underlying operating system.
Nguyen may have been the one who publicly released PoC, but he did not discover the vulnerability.
It was discovered by Emil Lerner CTO and founder of Wunderfund, who used the bug last year to win bug bounties from companies such as Airbnb, Dropbox and Yandex.
This is the second time the Ghostscript project has been in the news for security flaws. In August 2018, a Google security researcher made several critical discoveries vulnerable points in the Ghostscript library that Artifex (the company that develops it) failed to patch in time. However, the company released fixes two days after the vulnerabilities were made public.
