OFFSITE.DARK
← Signals

Jun 29, 2026

1 min

Sploitus / Exploitarium

  • imagemagick
  • ghostscript
  • windows
  • exploitarium

news

ImageMagick Ghostscript Delegate Path Hijack

Bare `gswin64c.exe` delegate on Windows resolves from CWD — planted binary executes when processing PDF/PS in attacker-writable directory.

Summary

Bare gswin64c.exe delegate on Windows resolves from CWD — planted binary executes when processing PDF/PS in attacker-writable directory. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.

Key Findings

FindingDetail
Product / targetImageMagick 7.1.2-25 + Ghostscript 10.07.1 (Windows)
PrimitiveUnqualified executable name in Ghostscript delegate command
ImpactArbitrary code execution as user running convert/magick from hijackable working directory.

Attack Chain

Drop fake gswin64c.exe in CWD → process PDF → helper launches instead of real GS

Mitigation

Use full Ghostscript paths; run conversions from non-writable directories; MAGICK_GHOSTSCRIPT_PATH hardening.

Related Signals

Sources

→ Source