Critical Vulnerability In Basecamp Could Allow Remote Code Execution Attacks

Basecamp has recently disclosed a critical vulnerability that could allow remote code execution attacks. Fortunately, Basecamp has already deployed a fix and the bug no more exists.

Critical Basecamp RCE Vulnerability

A security researcher found a critical vulnerability in the Basecamp platform allowing remote code execution. As per the details, the bug basically affected the profile image feature, typically existing in the image upload function.

A critical flaw in Basecamp’s profile image upload function leads to remote command execution. Images are converted on the server side, but not only image files but also PostScript/EPS files are accepted (if renamed to .gif). This is probably due to ImageMagick / GraphicsMagick being used for image conversion, which calls a PostScript interpreter (Ghostscript) if the input file starts with ‘%!’. The used Ghostscript version however has a security bug.

Thus, it became possible for an adversary to upload malicious files with false image file extensions to execute commands.

The bug received a critical severity rating with a score of 9 to 10.

$5000 Bounty Awarded

The researcher discovered and reported this bug roughly 2 years ago via HackerOne. Following his report, Basecamp addressed the bug by disallowing libgs-based PS and PDF coders in the ImageMagick security policy.

For reporting this flaw, Basecamp awarded the researcher with a $5000 bounty.

Although, the bug report shows that Basecamp already patched the vulnerability earlier. However, they have publicly disclosed the flaw only recently.

Basecamp had been running a private vulnerability disclosure program since 2014, under which, they used to invite select hackers to find bugs. After years of running this program, Basecamp recently expanded it to a public bug bounty program, inviting all researchers.

Under this program, Basecamp has set rewards up to $10,000 for the most critical vulnerabilities. Whereas, the lowest reward makes up to $100 for low severity bugs.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients