Basecamp has recently disclosed a critical vulnerability that could allow remote code execution attacks. Fortunately, Basecamp has already deployed a fix and the bug no more exists.
Critical Basecamp RCE Vulnerability
A security researcher found a critical vulnerability in the Basecamp platform allowing remote code execution. As per the details, the bug basically affected the profile image feature, typically existing in the image upload function.
A critical flaw in Basecamp’s profile image upload function leads to remote command execution. Images are converted on the server side, but not only image files but also PostScript/EPS files are accepted (if renamed to .gif). This is probably due to ImageMagick / GraphicsMagick being used for image conversion, which calls a PostScript interpreter (Ghostscript) if the input file starts with ‘%!’. The used Ghostscript version however has a security bug.
Thus, it became possible for an adversary to upload malicious files with false image file extensions to execute commands.
The bug received a critical severity rating with a score of 9 to 10.
$5000 Bounty Awarded
The researcher discovered and reported this bug roughly 2 years ago via HackerOne. Following his report, Basecamp addressed the bug by disallowing libgs-based PS and PDF coders in the ImageMagick security policy.
For reporting this flaw, Basecamp awarded the researcher with a $5000 bounty.
Although, the bug report shows that Basecamp already patched the vulnerability earlier. However, they have publicly disclosed the flaw only recently.
Basecamp had been running a private vulnerability disclosure program since 2014, under which, they used to invite select hackers to find bugs. After years of running this program, Basecamp recently expanded it to a public bug bounty program, inviting all researchers.
Under this program, Basecamp has set rewards up to $10,000 for the most critical vulnerabilities. Whereas, the lowest reward makes up to $100 for low severity bugs.