Update Ghostscript/ImageMagick modules

rapid7 · Apr 23, 2019 · aa9a111 · aa9a111
1 parent 79cf2e7
commit aa9a111
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 17 deletions.
diff --git a/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb b/modules/exploits/multi/fileformat/ghostscript_failed_restore.rb
@@ -22,12 +22,7 @@ def initialize(info = {})
         arbitrary commands by handling a failed restore (grestore) in
         PostScript to disable LockSafetyParams and avoid invalidaccess.
 
-        This vulnerability is reachable via libraries such as ImageMagick,
-        and this module provides the latest vector for Ghostscript.
-
-        For previous Ghostscript vectors, please see the following modules:
-          exploit/unix/fileformat/ghostscript_type_confusion
-          exploit/unix/fileformat/imagemagick_delegate
+        This vulnerability is reachable via libraries such as ImageMagick.
       },
       'Author'         => [
         'Tavis Ormandy', # Vuln discovery and exploit
@@ -61,7 +56,13 @@ def initialize(info = {})
           'Type'       => :linux_dropper
         ]
       ],
-      'DefaultTarget'  => 0
+      'DefaultTarget'  => 0,
+      'Notes'          => {
+        'RELATED'      => [
+          'exploit/unix/fileformat/ghostscript_type_confusion',
+          'exploit/unix/fileformat/imagemagick_delegate'
+        ]
+      }
     ))
 
     register_options([

diff --git a/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb b/modules/exploits/unix/fileformat/ghostscript_type_confusion.rb
@@ -16,15 +16,12 @@ def initialize(info = {})
         be exploited to obtain arbitrary command execution. This vulnerability affects
         Ghostscript versions 9.21 and earlier and can be exploited through libraries
         such as ImageMagick and Pillow.
-
-        For more recent Ghostscript vectors, please see the following modules:
-          exploit/multi/fileformat/ghostscript_failed_restore
       },
       'Author'         => [
         'Atlassian Security Team', # Vulnerability discovery
         'hdm'                      # Metasploit module
       ],
-      'References'      => [
+      'References'     => [
         %w{CVE 2017-8291},
         %w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808},
         %w{URL https://seclists.org/oss-sec/2017/q2/148},
@@ -44,7 +41,11 @@ def initialize(info = {})
       ],
       'DefaultTarget'  => 0,
       'Notes'          => {
-        'AKA'          => [ 'ghostbutt' ]
+        'AKA'          => ['ghostbutt'],
+        'RELATED'      => [
+          'exploit/multi/fileformat/ghostscript_failed_restore',
+          'exploit/unix/fileformat/imagemagick_delegate'
+        ]
       }
     ))
 

diff --git a/modules/exploits/unix/fileformat/imagemagick_delegate.rb b/modules/exploits/unix/fileformat/imagemagick_delegate.rb
@@ -25,10 +25,6 @@ def initialize(info = {})
         Ghostscript versions 9.18 and later are affected. This target is
         provided as is and will not be updated to track additional vulns.
 
-        For more recent Ghostscript vectors, please see the following modules:
-          exploit/multi/fileformat/ghostscript_failed_restore
-          exploit/unix/fileformat/ghostscript_type_confusion
-
         If USE_POPEN is set to true, a |-prefixed command will be used for the
         exploit. No delegates are involved in this exploitation.
       },
@@ -63,7 +59,13 @@ def initialize(info = {})
         ['PS file',  template: 'msf.ps']   # PoC from taviso
       ],
       'DefaultTarget'  => 0,
-      'Notes'          => {'AKA' => ['ImageTragick']}
+      'Notes'          => {
+        'AKA'          => ['ImageTragick'],
+        'RELATED'      => [
+          'exploit/unix/fileformat/ghostscript_type_confusion',
+          'exploit/multi/fileformat/ghostscript_failed_restore'
+        ]
+      }
     ))
 
     register_options([