← Signals
- imagemagick
- ghostscript
- windows
- exploitarium
news
ImageMagick Ghostscript Delegate Path Hijack
Bare `gswin64c.exe` delegate on Windows resolves from CWD — planted binary executes when processing PDF/PS in attacker-writable directory.
Summary
Bare gswin64c.exe delegate on Windows resolves from CWD — planted binary executes when processing PDF/PS in attacker-writable directory. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | ImageMagick 7.1.2-25 + Ghostscript 10.07.1 (Windows) |
| Primitive | Unqualified executable name in Ghostscript delegate command |
| Impact | Arbitrary code execution as user running convert/magick from hijackable working directory. |
Attack Chain
Drop fake gswin64c.exe in CWD → process PDF → helper launches instead of real GS
Mitigation
Use full Ghostscript paths; run conversions from non-writable directories; MAGICK_GHOSTSCRIPT_PATH hardening.