Published: 05/09/2018 Updated: 07/11/2023

CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 937

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

An issue exists in Artifex Ghostscript prior to 9.24. Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction.

Vulnerable Product	Search on Vulmon	Subscribe to Product
debian debian linux 8.0
debian debian linux 9.0
artifex ghostscript
canonical ubuntu linux 16.04
canonical ubuntu linux 14.04
canonical ubuntu linux 18.04
redhat enterprise linux desktop 7.0
redhat enterprise linux workstation 7.0
redhat enterprise linux server 7.0
redhat enterprise linux desktop 6.0
redhat enterprise linux server 6.0
redhat enterprise linux workstation 6.0
redhat enterprise linux server eus 7.5
artifex gpl ghostscript

Several security issues were fixed in Ghostscript ...

Synopsis Important: ghostscript security and bug fix update Type/Severity Security Advisory: Important Topic An update for ghostscript is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Syste ...

Synopsis Important: ghostscript security update Type/Severity Security Advisory: Important Topic An update for ghostscript is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...

Synopsis Important: ghostscript security update Type/Severity Security Advisory: Important Topic An update for ghostscript is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) bas ...

Debian Bug report logs - #908304 ghostscript: CVE-2018-16510 Package: src:ghostscript; Maintainer for src:ghostscript is Debian Printing Team <debian-printing@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 8 Sep 2018 08:57:09 UTC Severity: grave Tags: patch, security, upstream F ...

Debian Bug report logs - #908305 ghostscript: CVE-2018-16585 Package: src:ghostscript; Maintainer for src:ghostscript is Debian Printing Team <debian-printing@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 8 Sep 2018 09:06:02 UTC Severity: grave Tags: patch, security, upstream F ...

Debian Bug report logs - #908303 ghostscript: CVE-2018-16543 Package: src:ghostscript; Maintainer for src:ghostscript is Debian Printing Team <debian-printing@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 8 Sep 2018 08:57:05 UTC Severity: grave Tags: patch, security, upstream F ...

It was discovered that the ghostscript /invalidaccess checks fail under certain conditions An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document(CVE-2018-16509) ...

It was discovered that the ghostscript shfill operator did not properly validate certain types An attacker could possibly exploit this to bypass the -dSAFER protection and crash ghostscript or, possibly, execute arbitrary code in the ghostscript context via a specially crafted PostScript document(CVE-2018-15909) An issue was discovered in Artife ...

It was discovered that the ghostscript /invalidaccess checks fail under certain conditions An attacker could possibly exploit this to bypass the -dSAFER protection and, for example, execute arbitrary shell commands via a specially crafted PostScript document ...

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit Rank = ExcellentRanking PLACEHOLDER_STRING = 'metasploit' PLACEHOLDER_COMMAND = 'echo vulnerable > /dev/tty' include Msf::Exploit::FILEFORMAT include Msf ...

Python bind shell single line code for both Unix and Windows, used to find and exploit RCE (ImageMagick, Ghostscript, ...)

Python one-liner bind shell The host command (to create a bind shell): Unix: python -c "(lambda __g, __y, __contextlib: [[[[(sbind(('0000', 4242)), (slisten(5), [(lambda __after: [[[(lambda __after: [__after() for __g['u'] in [('system32')]][0] if ctypeswindllshell32IsUserAnAdmin() else __after())(lambda: [(csend('%s(c) Microsoft

exploit..

CVE_2018_16509 exploit Usage Change path to your cmd (exfile file on server demo) Credits info githubcom/farisv/PIL-RCE-Ghostscript-CVE-2018-16509 githubcom/ysrc/PIL-RCE-By-GhostButt

PoC + Docker Environment for Python PIL/Pillow Remote Shell Command Execution via Ghostscript CVE-2018-16509

Python PIL/Pillow Remote Shell Command Execution via Ghostscript CVE-2018-16509 Inspired by githubcom/ysrc/PIL-RCE-By-GhostButt (PIL/Pillow RCE via CVE-2017-8291) This docker environment version is using the newer version of Ghostscript (v923) and newer exploit (CVE-2018-16509) Ghostscript is a suite of software based on an interpreter for Adobe Systems PostScript a

Python bind shell single line code for both Unix and Windows, used to find and exploit RCE (ImageMagick, Ghostscript, ...)

Python one-liner bind shell The host command (to create a bind shell): Unix: python -c "(lambda __g, __y, __contextlib: [[[[(sbind(('0000', 4242)), (slisten(5), [(lambda __after: [[[(lambda __after: [__after() for __g['u'] in [('system32')]][0] if ctypeswindllshell32IsUserAnAdmin() else __after())(lambda: [(csend('%s(c) Microsoft

CVE-2018-16509 Docker Playground - Ghostscript command execution

CVE-2018-16509 Docker Playground "An issue was discovered in Artifex Ghostscript before 924 Incorrect "restoration of privilege" checking during handling of /invalidaccess exceptions could be used by attackers able to supply crafted PostScript to execute code using the "pipe" instruction" nvdnistgov/vuln/detail/CVE-2018-16509 a

WEB Templeted Flask/Jinja2 Template Injection Flask/Jinja2 Template Injection Payload: <ip_address>/{{requestapplication__globals____builtins____import__('os')popen('cat flagtxt'))read()}} Phonebook LDAP Injection Bypass login using *:* credentials Get reese's password -> flag:

CVE-2018-16509 (Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities)

CVE-2018-16509 Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities Run $ docker run -d --name cve-2018-16509 -p 9000:9000 cve-2018-16509

cve-2018-16509

CVE-2018-16509 This is part of Cved: a tool to manage vulnerable docker containers Cved: githubcom/git-rep-src/cved Image source: githubcom/cved-sources/cve-2018-16509 Image author: githubcom/knqyf263/CVE-2018-16509

NVD-CWE-noinfo https://www.artifex.com/news/ghostscript-security-resolved/http://seclists.org/oss-sec/2018/q3/142 https://bugs.ghostscript.com/show_bug.cgi?id=699654 https://www.exploit-db.com/exploits/45369/https://lists.debian.org/debian-lts-announce/2018/09/msg00015.html https://www.debian.org/security/2018/dsa-4294 https://usn.ubuntu.com/3768-1/https://access.redhat.com/errata/RHSA-2018:2918 http://www.securityfocus.com/bid/105122 https://security.gentoo.org/glsa/201811-12 https://access.redhat.com/errata/RHSA-2018:3760 http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=5516c614dc33662a2afdc377159f70218e67bde5 http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=79cccf641486a6595c43f1de1cd7ade696020a31 http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commit%3Bh=78911a01b67d590b4a91afac2e8417360b934156 http://git.ghostscript.com/?p=ghostpdl.git%3Ba=commitdiff%3Bh=520bb0ea7519aa3e79db78aaf0589dae02103764 https://usn.ubuntu.com/3768-1/https://nvd.nist.gov https://www.exploit-db.com/exploits/45369/https://www.kb.cert.org/vuls/id/332928

CVE-2018-16509

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect