Skip to main content
main-content
Top

Hint

Swipe to navigate through the chapters of this book

2018 | OriginalPaper | Chapter

PostScript Undead: Pwning the Web with a 35 Years Old Language

Authors: Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk

Published in: Research in Attacks, Intrusions, and Defenses

Publisher: Springer International Publishing

share
SHARE

Abstract

PostScript is a Turing complete page description language dating back to 1982. It is supported by most laser printers and for a long time it had been the preferred file format for documents like academic papers. In this work, we show that popular services such as Wikipedia, Microsoft OneDrive, and Google Mail can be attacked using malicious PostScript code. Besides abusing legitimate features of the PostScript language, we systematically analyzed the security of the most popular PostScript interpreter – Ghostscript. Our attacks include information disclosure, file inclusion, and remote command execution. Furthermore, we present methods to obfuscate PostScript code and embed it within legitimate PDF files to bypass security filters. This allows us to create a hybrid exploit that can be used to attack web applications, clients systems, print servers, or printers. Our large-scale evaluation reveals that 56% of the analyzed web applications are vulnerable to at least one attack. In addition, three of the top 15 Alexa websites were found vulnerable. We provide different countermeasures and discuss their advantages and disadvantages. Finally, we extend the scope of our research considering further targets and more advanced obfuscation techniques.
Appendix
Available only for authorised users
Footnotes
1
ImageMagick Studio LLC, ImageMagick, http://​imagemagick.​org, Mar. 2017.
 
2
Artifex Software, Ghostscript, https://​ghostscript.​com/​, Mar. 2017.
 
3
Apple Inc., Common UNIX Printing System, https://​www.​cups.​org/​, Mar. 2017.
 
4
The Apache Software Foundation, PDFBox, https://​pdfbox.​apache.​org/​, Mar. 2017.
 
5
Note that the proof-of-concept file is hosted on Dropbox. After uploading, we realized that Dropbox itself processes PostScript documents. The shown preview image therefore is the rendered result of the attack catalog executed on the Dropbox server.
 
6
Wikimedia Foundation, MediaWiki, https://​www.​mediawiki.​org/​, Mar. 2017.
 
7
GNU Project, GNU less, https://​www.​gnu.​org/​software/​less/​, Mar. 2017.
 
8
Christos Zoulas, The file(1) Command, https://​github.​com/​file/​file, Mar. 2017.
 
Literature
1.
go back to reference Adobe Systems: Adobe Type 1 Font Format (1990) Adobe Systems: Adobe Type 1 Font Format (1990)
2.
go back to reference Adobe Systems: PostScript Language Reference Manual (1999) Adobe Systems: PostScript Language Reference Manual (1999)
3.
go back to reference Adobe Systems: Pdfmark Reference Manual (2005) Adobe Systems: Pdfmark Reference Manual (2005)
4.
go back to reference Albertini, A.: This PDF is a JPEG; or, this Proof of Concept is a Picture of Cats. PoC 11 GTFO 0x03 (2014) Albertini, A.: This PDF is a JPEG; or, this Proof of Concept is a Picture of Cats. PoC 11 GTFO 0x03 (2014)
5.
go back to reference Baccas, P.: Finding rules for heuristic detection of malicious PDFs: with analysis of embedded exploit code. In: Virus Bulletin Conference (2010) Baccas, P.: Finding rules for heuristic detection of malicious PDFs: with analysis of embedded exploit code. In: Virus Bulletin Conference (2010)
6.
go back to reference Backes, M., Dürmuth, M., Unruh, D.: Vorgetäuscht/Böse Textdokumente - Postscript Gone Wild (2007). (in German) Backes, M., Dürmuth, M., Unruh, D.: Vorgetäuscht/Böse Textdokumente - Postscript Gone Wild (2007). (in German)
8.
go back to reference Blonce, A., Filiol, E., Frayssignes, L.: Portable Document Format (PDF) Security Analysis and Malware Threats. BlackHat Europe (2008) Blonce, A., Filiol, E., Frayssignes, L.: Portable Document Format (PDF) Security Analysis and Malware Threats. BlackHat Europe (2008)
9.
go back to reference Costin, A.: Hacking printers for fun and profit. Hack.lu (2010) Costin, A.: Hacking printers for fun and profit. Hack.lu (2010)
10.
go back to reference Costin, A.: Hacking printers - 10 years down the road. Hash Days (2011) Costin, A.: Hacking printers - 10 years down the road. Hash Days (2011)
11.
go back to reference Costin, A.: Postscript(um): You’ve Been Hacked. 28C3 (2011) Costin, A.: Postscript(um): You’ve Been Hacked. 28C3 (2011)
12.
go back to reference Costin, A.: Postscript: Danger ahead?! Hack in Paris (2012) Costin, A.: Postscript: Danger ahead?! Hack in Paris (2012)
14.
go back to reference Goldberg, I., Wagner, D., Thomas, R., Brewer, E., et al.: A Secure Environment for untrusted helper applications: confining the wily hacker. In: Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography, vol. 6, p. 1 (1996) Goldberg, I., Wagner, D., Thomas, R., Brewer, E., et al.: A Secure Environment for untrusted helper applications: confining the wily hacker. In: Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography, vol. 6, p. 1 (1996)
15.
go back to reference Hong, Y., Zheng, M.: A Ghost from Postscript. Ruxcon (2017) Hong, Y., Zheng, M.: A Ghost from Postscript. Ruxcon (2017)
16.
go back to reference Magazinius, J., Rios, B.K., Sabelfeld, A.: Polyglots: crossing origins by crossing formats. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 753–764. ACM (2013) Magazinius, J., Rios, B.K., Sabelfeld, A.: Polyglots: crossing origins by crossing formats. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 753–764. ACM (2013)
17.
go back to reference Markwood, I., Shen, D., Liu, Y., Lu, Z.: PDF mirage: content masking attack against information-based online services. In: 26th USENIX Security Symposium (USENIX Security 17), (Vancouver, BC), pp. 833–847 (2017) Markwood, I., Shen, D., Liu, Y., Lu, Z.: PDF mirage: content masking attack against information-based online services. In: 26th USENIX Security Symposium (USENIX Security 17), (Vancouver, BC), pp. 833–847 (2017)
18.
go back to reference Müller, J., Mladenov, V., Somorovsky, J., Schwenk, J.: SoK: exploiting network printers. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 213–230. IEEE (2017) Müller, J., Mladenov, V., Somorovsky, J., Schwenk, J.: SoK: exploiting network printers. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 213–230. IEEE (2017)
20.
go back to reference Raynal, F., Delugré, G., Aumaitre, D.: Malicious origami in PDF. J. Comput. Virol. 6(4), 289–315 (2010) CrossRef Raynal, F., Delugré, G., Aumaitre, D.: Malicious origami in PDF. J. Comput. Virol. 6(4), 289–315 (2010) CrossRef
21.
go back to reference Selvaraj, K., Gutierrez, N.: The rise of PDF malware. Symantec Security Response (2010) Selvaraj, K., Gutierrez, N.: The rise of PDF malware. Symantec Security Response (2010)
22.
go back to reference Sibert, W.: Malicious data and computer security. In: Proceedings of the 19th National Information Systems Security Conference (1996) Sibert, W.: Malicious data and computer security. In: Proceedings of the 19th National Information Systems Security Conference (1996)
23.
go back to reference Späth, C., Mainka, C., Mladenov, V., Schwenk, J.: Sok: xml parser vulnerabilities. In: 10th USENIX Workshop on Offensive Technologies (WOOT 2016), Austin, TX (2016) Späth, C., Mainka, C., Mladenov, V., Schwenk, J.: Sok: xml parser vulnerabilities. In: 10th USENIX Workshop on Offensive Technologies (WOOT 2016), Austin, TX (2016)
Metadata
Title
PostScript Undead: Pwning the Web with a 35 Years Old Language
Authors
Jens Müller
Vladislav Mladenov
Dennis Felsch
Jörg Schwenk
Copyright Year
2018
DOI
https://doi.org/10.1007/978-3-030-00470-5_28

Premium Partner