6.8
CVSSv2

CVE-2016-7976

Published: 07/08/2017 Updated: 04/11/2017
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 721
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote malicious users to execute arbitrary code via crafted userparams.

Vendor Advisories

The PS Interpreter in Ghostscript 918 and 920 allows remote attackers to execute arbitrary code via crafted userparams ...
Ghostscript could be made to crash, run programs, or disclose sensitive information if it processed a specially crafted file ...
Debian Bug report logs - #839260 ghostscript: CVE-2016-7976: various userparams allow %pipe% in paths, allowing remote shell command execution Package: ghostscript; Maintainer for ghostscript is Debian Printing Team <debian-printing@listsdebianorg>; Source for ghostscript is src:ghostscript (PTS, buildd, popcon) Reported b ...
Debian Bug report logs - #839841 ghostscript: CVE-2016-7977: libfile doesn't check PermitFileReading array, allowing remote file disclosure Package: ghostscript; Maintainer for ghostscript is Debian Printing Team <debian-printing@listsdebianorg>; Source for ghostscript is src:ghostscript (PTS, buildd, popcon) Reported by: ...
Debian Bug report logs - #840451 ghostscript: CVE-2016-8602 Package: src:ghostscript; Maintainer for src:ghostscript is Debian Printing Team <debian-printing@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 11 Oct 2016 17:21:02 UTC Severity: grave Tags: patch, security, upstream Fo ...
Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may lead to the execution of arbitrary code or information disclosure if a specially crafted Postscript file is processed For the stable distribution (jessie), these problems have been fixed in version 906~dfsg-2+deb8u3 We recommend that you upgrade ...
Debian Bug report logs - #839846 ghostscript: CVE-2016-7979: type confusion in initialize_dsc_parser allows remote code execution Package: src:ghostscript; Maintainer for src:ghostscript is Debian Printing Team <debian-printing@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 5 Oct ...
Debian Bug report logs - #839845 ghostscript: CVE-2016-7978: reference leak in setdevice allows use-after-free and remote code execution Package: src:ghostscript; Maintainer for src:ghostscript is Debian Printing Team <debian-printing@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, ...
Debian Bug report logs - #839118 ghostscript: CVE-2013-5653: getenv and filenameforall ignore -dSAFER Package: ghostscript; Maintainer for ghostscript is Debian Printing Team <debian-printing@listsdebianorg>; Source for ghostscript is src:ghostscript (PTS, buildd, popcon) Reported by: Florian Weimer <fw@denebenyode&gt ...
Oracle Solaris Third Party Bulletin - July 2018 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical P ...

Metasploit Modules

ImageMagick Delegate Arbitrary Command Execution

This module exploits a shell command injection in the way "delegates" (commands for converting files) are processed in ImageMagick versions <= 7.0.1-0 and <= 6.9.3-9 (legacy). Since ImageMagick uses file magic to detect file format, you can create a .png (for example) which is actually a crafted SVG (for example) that triggers the command injection. The PostScript (PS) target leverages a Ghostscript -dSAFER bypass (discovered by taviso) to achieve RCE in the Ghostscript delegate. Ghostscript versions 9.18 and later are affected. This target is provided as is and will not be updated to track additional vulns. For more recent Ghostscript vectors, please see the following modules: exploit/multi/fileformat/ghostscript_failed_restore exploit/unix/fileformat/ghostscript_type_confusion If USE_POPEN is set to true, a |-prefixed command will be used for the exploit. No delegates are involved in this exploitation.

msf > use exploit/unix/fileformat/imagemagick_delegate
      msf exploit(imagemagick_delegate) > show targets
            ...targets...
      msf exploit(imagemagick_delegate) > set TARGET <target-id>
      msf exploit(imagemagick_delegate) > show options
            ...show and set options...
      msf exploit(imagemagick_delegate) > exploit

Github Repositories

HTTP file upload scanner for Burp Proxy

UploadScanner Burp extension A Burp Suite Pro extension to do security tests for HTTP file uploads Table of Contents Abstract Main feature Installation Tutorials About Background information and FAQ TL;DR and important infos Basics Checklist I broke the website, omg, what did I do? Limitations Detecting issues Detecting successful uploads FlexiInjector - Detecting requests

UploadScanner Burp extension A Burp Suite Pro extension to do security tests for HTTP file uploads Table of Contents Abstract Main feature Installation Tutorials About Background information and FAQ TL;DR and important infos Basics Checklist I broke the website, omg, what did I do? Limitations Detecting issues Detecting successful uploads FlexiInjector - Detecting requests