Top

Published in:

2018 | OriginalPaper | Chapter

PostScript Undead: Pwning the Web with a 35 Years Old Language

Authors : Jens Müller, Vladislav Mladenov, Dennis Felsch, Jörg Schwenk

Published in: Research in Attacks, Intrusions, and Defenses

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

PostScript is a Turing complete page description language dating back to 1982. It is supported by most laser printers and for a long time it had been the preferred file format for documents like academic papers. In this work, we show that popular services such as Wikipedia, Microsoft OneDrive, and Google Mail can be attacked using malicious PostScript code. Besides abusing legitimate features of the PostScript language, we systematically analyzed the security of the most popular PostScript interpreter – Ghostscript. Our attacks include information disclosure, file inclusion, and remote command execution. Furthermore, we present methods to obfuscate PostScript code and embed it within legitimate PDF files to bypass security filters. This allows us to create a hybrid exploit that can be used to attack web applications, clients systems, print servers, or printers. Our large-scale evaluation reveals that 56% of the analyzed web applications are vulnerable to at least one attack. In addition, three of the top 15 Alexa websites were found vulnerable. We provide different countermeasures and discuss their advantages and disadvantages. Finally, we extend the scope of our research considering further targets and more advanced obfuscation techniques.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Statistical Similarity of Critical Infrastructure Network Traffic Based on Nearest Neighbor Distances

next chapter Identifying Key Leakage of Bitcoin Users

Available only for authorised users

ImageMagick Studio LLC, ImageMagick, http://imagemagick.org, Mar. 2017.

Artifex Software, Ghostscript, https://ghostscript.com/, Mar. 2017.

Apple Inc., Common UNIX Printing System, https://www.cups.org/, Mar. 2017.

The Apache Software Foundation, PDFBox, https://pdfbox.apache.org/, Mar. 2017.

Note that the proof-of-concept file is hosted on Dropbox. After uploading, we realized that Dropbox itself processes PostScript documents. The shown preview image therefore is the rendered result of the attack catalog executed on the Dropbox server.

Wikimedia Foundation, MediaWiki, https://www.mediawiki.org/, Mar. 2017.

GNU Project, GNU less, https://www.gnu.org/software/less/, Mar. 2017.

Christos Zoulas, The file(1) Command, https://github.com/file/file, Mar. 2017.

Adobe Systems: Adobe Type 1 Font Format (1990)

Adobe Systems: PostScript Language Reference Manual (1999)

Adobe Systems: Pdfmark Reference Manual (2005)

Albertini, A.: This PDF is a JPEG; or, this Proof of Concept is a Picture of Cats. PoC 11 GTFO 0x03 (2014)

Baccas, P.: Finding rules for heuristic detection of malicious PDFs: with analysis of embedded exploit code. In: Virus Bulletin Conference (2010)

Backes, M., Dürmuth, M., Unruh, D.: Vorgetäuscht/Böse Textdokumente - Postscript Gone Wild (2007). (in German)

Baines, J.: Rooting a Printer: From Security Bulletin to Remote Code Execution (2017). https://www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution

Blonce, A., Filiol, E., Frayssignes, L.: Portable Document Format (PDF) Security Analysis and Malware Threats. BlackHat Europe (2008)

Costin, A.: Hacking printers for fun and profit. Hack.lu (2010)

10.

Costin, A.: Hacking printers - 10 years down the road. Hash Days (2011)

11.

Costin, A.: Postscript(um): You’ve Been Hacked. 28C3 (2011)

12.

Costin, A.: Postscript: Danger ahead?! Hack in Paris (2012)

13.

Dominique, R.: Protect File Upload Against Malicious File (2017). https://www.owasp.org/index.php/Protect_FileUpload_Against_Malicious_File

14.

Goldberg, I., Wagner, D., Thomas, R., Brewer, E., et al.: A Secure Environment for untrusted helper applications: confining the wily hacker. In: Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography, vol. 6, p. 1 (1996)

15.

Hong, Y., Zheng, M.: A Ghost from Postscript. Ruxcon (2017)

16.

Magazinius, J., Rios, B.K., Sabelfeld, A.: Polyglots: crossing origins by crossing formats. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 753–764. ACM (2013)

17.

Markwood, I., Shen, D., Liu, Y., Lu, Z.: PDF mirage: content masking attack against information-based online services. In: 26th USENIX Security Symposium (USENIX Security 17), (Vancouver, BC), pp. 833–847 (2017)

18.

Müller, J., Mladenov, V., Somorovsky, J., Schwenk, J.: SoK: exploiting network printers. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 213–230. IEEE (2017)

19.

Popescu, D.S.: Hiding malicious content in PDF documents. arXiv preprint arXiv:1201.0397 (2012)

20.

Raynal, F., Delugré, G., Aumaitre, D.: Malicious origami in PDF. J. Comput. Virol. 6(4), 289–315 (2010)CrossRef

21.

Selvaraj, K., Gutierrez, N.: The rise of PDF malware. Symantec Security Response (2010)

22.

Sibert, W.: Malicious data and computer security. In: Proceedings of the 19th National Information Systems Security Conference (1996)

23.

Späth, C., Mainka, C., Mladenov, V., Schwenk, J.: Sok: xml parser vulnerabilities. In: 10th USENIX Workshop on Offensive Technologies (WOOT 2016), Austin, TX (2016)

Title: PostScript Undead: Pwning the Web with a 35 Years Old Language
Authors: Jens Müller
Vladislav Mladenov
Dennis Felsch
Jörg Schwenk
Publisher: Springer International Publishing
Book: Research in Attacks, Intrusions, and Defenses
Print ISBN: 978-3-030-00469-9

Electronic ISBN: 978-3-030-00470-5

Copyright Year: 2018
DOI: https://doi.org/10.1007/978-3-030-00470-5_28

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner