Associated Vulnerability
Title:Artifex Ghostscript 安全漏洞 (CVE-2017-8291)Description:Artifex Ghostscript是美国Artifex Software公司的一款开源的PostScript(一种用于电子产业和桌面出版领域的页面描述语言和编程语言)解析器,它可显示Postscript文件以及在非Postscript打印机上打印Postscript文件。 Artifex Ghostscript 2017-04-26及之前的版本中存在安全漏洞。远程攻击者可借助特制的.eps文档利用该漏洞执行命令。
Description
CVE-2017-8291 CTF with docker and examples
Readme
# Python PIL Remote Command Execution Vulnerability (GhostButt)
The PIL (Pillow) module for processing images in Python is affected by the GhostButt vulnerability (CVE-2017-8291) because it calls GhostScript internally, resulting in a remote command execution vulnerability.
## Vulnerability Summary
PIL internally determines the image type based on the image header (Magic Bytes). If it is found to be an EPS file (the header is `%!PS`), it is distributed to `PIL/EpsImagePlugin.py` for processing.
In this module, PIL calls the system's gs command, which is GhostScript, to process image files:
```Python
command = ["gs",
"-q", # quiet mode
"-g%dx%d" % size, # set output geometry (pixels)
"-r%fx%f" % res, # set input DPI (dots per inch)
"-dBATCH", # exit after processing
"-dNOPAUSE", # don't pause between pages,
"-dSAFER", # safe mode
"-sDEVICE=ppmraw", # ppm driver
"-sOutputFile=%s" % outfile, # output file
"-c", "%d %d translate" % (-bbox[0], -bbox[1]),
# adjust for image origin
"-f", infile, # input file
]
# Omit the code to determine whether GhostScript is installed
try:
with open(os.devnull, 'w+b') as devnull:
subprocess.check_call(command, stdin=devnull, stdout=devnull)
im = Image.open(outfile)
```
Although `-dSAFER`, that is, safe mode, is set, due to a sandbox bypass vulnerability in GhostScript (GhostButt CVE-2017-8291), this safe mode is bypassed and arbitrary commands can be executed.
In addition, as of now, the latest official version of GhostScript 9.21 is still affected by this vulnerability, so it can be said that as long as GhostScript is installed on the operating system, our PIL has a command execution vulnerability.
## Vulnerability Testing
Operating environment:
```
docker-compose up -d
```
After running, visit `http://your-ip:8000/` to see an upload page. The normal function is that we upload a PNG file, the backend calls PIL to load the image, and outputs the length and width. But we can change the executable command EPS file suffix to PNG for uploading, because the backend determines the image type based on the file header, so the suffix check is ignored.
For example, if we upload [poc.png](poc.png), we can execute `touch /tmp/youhavebeenpwned`. Change the command in POC to a rebound command to get a shell:
File Snapshot
[4.0K] /data/pocs/c198672d939e284381644db2ef7b580be4b18d37
├── [2.2K] app.py
├── [4.3K] detail_README.md
├── [ 189] docker-compose.yml
├── [ 25] flag.txt
├── [ 18K] LICENSE
├── [1.9K] poc_ctf.png
├── [1.8K] poc.png
├── [2.4K] README.md
└── [7.2K] RUN.md
0 directories, 9 files
Remarks
1. It is advised to access via the original source first.
2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.