CVE-2022-29851 - OS Command Injection Vulnerability in OX App Suite's Document Converter with Ghostscript Support through 7.10.6

A recently discovered vulnerability in the OX App Suite's Document Converter (CVE-2022-29851) allows attackers to achieve remote OS command injection. This vulnerability exclusively affects OX App Suite installations that have been configured for Ghostscript support but serves as a crucial reminder for all administrators to ensure that their systems have the necessary protection in place.

Details

The vulnerability lies within the Document Converter component of the OX App Suite (through 7.10.6), specifically in non-default configurations that have Ghostscript support enabled. As a result, attackers can leverage Encapsulated PostScript (EPS) documents disguised as Portable Document Format (PDF) files to inject arbitrary system commands.

There has been an increasing trend of attackers exploiting document formats to embed malicious payloads. The CVE-2022-29851 vulnerability is particularly dangerous because it allows them to execute Operating System (OS) commands directly on the affected system. This can result in unauthorized access, data exfiltration, and potential system compromise.

Here's an example of an EPS file containing a potentially dangerous payload

%!PS-Adobe-3. EPSF-3.
%%BoundingBox:   100 100
%%EndProlog
/systemdict /product where{pop product (Ghostscript)search {pop pop pop(.)print}if}if
%payload
system("touch /tmp/cve-2022-29851_exploit")
%%EOF

Note that the system("touch /tmp/cve-2022-29851_exploit") line represents the injected OS command.

Disguise the EPS file as a PDF.

To do this, change the file extension from .eps to .pdf (e.g., malicious_payload.pdf).

3. Upload this disguised file to the server or exchange system as an email attachment, document collaboration platform, or any other method accepted by the OX App Suite.

4. When a user with an affected OX App Suite installation tries to process the document, the converter will allow the embedded OS command to execute.

Mitigation and Patch Details

OX Software has released a patch addressing this vulnerability. Administrators running OX App Suite should update to the latest available version (7.10.6 or later) and disable Ghostscript support if it's not required.

For information on updating your OX App Suite installation and disabling Ghostscript support, refer to the OX App Suite Installation and Setup Guide.

References

- CVE-2022-29851 Official Listing
- OX App Suite Product Information
- Ghostscript Official Homepage
- EPS File Format Specifications
- OWASP Top Ten Project - Command Injection

Conclusion

System administrators must be vigilant in protecting their installations by keeping systems up to date and applications adequately configured. This long-read post has discussed the details of a vulnerability, CVE-2022-29851, affecting the OX App Suite's Document Converter component, allowing attackers to achieve OS Command Injection through maliciously crafted documents. Regularly updating and maintaining the systems can significantly reduce the attack surface and safeguard users from such vulnerabilities.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 02:11:00 UTC