Critical Vulnerability In Basecamp Could Allow Remote Code Execution Attacks

Basecamp has recently disclosed a critical vulnerability that could allow remote code execution attacks. Fortunately, Basecamp has already deployed a fix and the bug no more exists.

Critical Basecamp RCE Vulnerability

A security researcher found a critical vulnerability in the Basecamp platform allowing remote code execution. As per the details, the bug basically affected the profile image feature, typically existing in the image upload function.

A critical flaw in Basecamp’s profile image upload function leads to remote command execution. Images are converted on the server side, but not only image files but also PostScript/EPS files are accepted (if renamed to .gif). This is probably due to ImageMagick / GraphicsMagick being used for image conversion, which calls a PostScript interpreter (Ghostscript) if the input file starts with ‘%!’. The used Ghostscript version however has a security bug.

Thus, it became possible for an adversary to upload malicious files with false image file extensions to execute commands.

The bug received a critical severity rating with a score of 9 to 10.

$5000 Bounty Awarded

The researcher discovered and reported this bug roughly 2 years ago via HackerOne. Following his report, Basecamp addressed the bug by disallowing libgs-based PS and PDF coders in the ImageMagick security policy.

For reporting this flaw, Basecamp awarded the researcher with a $5000 bounty.

Although, the bug report shows that Basecamp already patched the vulnerability earlier. However, they have publicly disclosed the flaw only recently.

Basecamp had been running a private vulnerability disclosure program since 2014, under which, they used to invite select hackers to find bugs. After years of running this program, Basecamp recently expanded it to a public bug bounty program, inviting all researchers.

Under this program, Basecamp has set rewards up to $10,000 for the most critical vulnerabilities. Whereas, the lowest reward makes up to $100 for low severity bugs.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs