webPromedium
Lab 343 — FrameCast — RCE via Ghostscript EPS Processing in Thumbnail Import
hackadvisor
Task: FrameCast video hosting platform with thumbnail import from URL; Pillow delegates EPS processing to Ghostscript 9.23 with -dSAFER. Solution: CVE-2018-16509 bypasses SAFER sandbox via failed restore in PostScript, enabling %pipe% command execution to exfiltrate /root/flag.txt through the web-accessible uploads directory.
$ ls tags/ techniques/
flaskssrfrcepillowimage_processinghoneypot_flaginteraction_serverghostscriptpostscriptepspipe_operatorcve_2018_16509thumbnail_importsafer_bypass
honeypot_flag_detectionghostscript_safer_bypass_via_failed_restorepostscript_pipe_command_executionurl_import_ssrf_to_internal_serviceeps_rendering_to_ocr_exfiltrationinteraction_server_file_hosting
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 126 — AssetForge — RCE via Ghostscript Pipe Device Bypass (CVE-2023-36664)— hackadvisor
- [web][Pro]InkDrop— hackadvisor
- [web][Pro]Lab 324 — ImageMagick RCE (PixelForge)— hackadvisor
- [web][Pro]Lab 39 — PixelVault — RCE via ImageMagick Filename Command Injection— hackadvisor
- [web][Pro]Lab 345 — PrintForge — RCE via Ghostscript Command Injection— hackadvisor