From 692ddc8b8b18d788aada962dbb226823c02c026f Mon Sep 17 00:00:00 2001 From: William Vu Date: Wed, 5 Sep 2018 16:55:46 -0500 Subject: [PATCH] Eschew updating imagemagick_delegate The hype is over, and the target was provided as a bonus. Now update the module language to reflect that. --- .../multi/fileformat/ghostscript_failed_restore.rb | 7 +++++++ .../exploits/unix/fileformat/ghostscript_type_confusion.rb | 5 ++++- modules/exploits/unix/fileformat/imagemagick_delegate.rb | 7 ++++++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb b/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb index 5e9fb75c51..1a2a12fcd6 100644 --- a/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb +++ b/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb @@ -20,6 +20,13 @@ class MetasploitModule < Msf::Exploit This module exploits a -dSAFER bypass in Ghostscript to execute arbitrary commands by handling a failed restore (grestore) in PostScript to disable LockSafetyParams and avoid invalidaccess. + + This vulnerability is reachable via libraries such as ImageMagick, + and this module provides the latest vector for Ghostscript. + + For previous Ghostscript vectors, please see the following modules: + exploit/unix/fileformat/ghostscript_type_confusion + exploit/unix/fileformat/imagemagick_delegate }, 'Author' => [ 'Tavis Ormandy', # Vuln discovery and exploit diff --git a/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb b/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb index 83bdb73b30..73d5e59c02 100644 --- a/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb +++ b/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb @@ -14,8 +14,11 @@ class MetasploitModule < Msf::Exploit 'Description' => %q{ This module exploits a type confusion vulnerability in Ghostscript that can be exploited to obtain arbitrary command execution. This vulnerability affects - Ghostscript version 9.21 and earlier and can be exploited through libraries + Ghostscript versions 9.21 and earlier and can be exploited through libraries such as ImageMagick and Pillow. + + For more recent Ghostscript vectors, please see the following modules: + exploit/multi/fileformat/ghostscript_failed_restore }, 'Author' => [ 'Atlassian Security Team', # Vulnerability discovery diff --git a/modules/exploits/unix/fileformat/imagemagick_delegate.rb b/modules/exploits/unix/fileformat/imagemagick_delegate.rb index 7619cbda7c..c875e5a097 100644 --- a/modules/exploits/unix/fileformat/imagemagick_delegate.rb +++ b/modules/exploits/unix/fileformat/imagemagick_delegate.rb @@ -22,7 +22,12 @@ class MetasploitModule < Msf::Exploit The PostScript (PS) target leverages a Ghostscript -dSAFER bypass (discovered by taviso) to achieve RCE in the Ghostscript delegate. - Ghostscript versions 9.18 and later are affected. + Ghostscript versions 9.18 and later are affected. This target is + provided as is and will not be updated to track additional vulns. + + For more recent Ghostscript vectors, please see the following modules: + exploit/multi/fileformat/ghostscript_failed_restore + exploit/unix/fileformat/ghostscript_type_confusion If USE_POPEN is set to true, a |-prefixed command will be used for the exploit. No delegates are involved in this exploitation.