[UNIX] Vulnerability in GNOME's Eye of Gnome
From: support@securiteam.com
Date: 03/29/03
- Previous message: support@securiteam.com: "[UNIX] Mod_Survey ENV Tag Security Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 29 Mar 2003 20:11:22 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Vulnerability in GNOME's Eye of Gnome
------------------------------------------------------------------------
SUMMARY
The Eye of Gnome (EOG for short) is an image viewer, as well as an
image-cataloging program. EOG is part of the GNOME desktop and is bundled
with all major Linux distributions.
A vulnerability was found in the application that could lead to the
execution of arbitrary code with the privileges of the user running EOG.
This vulnerability can be exploited from within email clients (MUAs) that
use EOG as default for image viewing.
DETAILS
Vulnerable systems:
Version 2.2.0 and previous versions are vulnerable.
Technical Description - Exploit/Concept Code:
EOG receives the filename of the image to display as a command line
argument. The program fails to validate it argument and handle format
string specifiers. By providing a specially crafted filename, an attacker
could force EOG to execute arbitrary commands with the privileges of the
user running it.
The following line demonstrates the problem:
$ /usr/bin/eog this_is_an_invalid_file_%n%n
After which EOG will crash with the following message:
"Application "eog" (process 4420) has crashed due to a fatal error
(Segmentation Fault)"
Please visit the GNOME Application Crash page for more information
Although this vulnerability does not seem relevant by itself, as we will
show below, it could be exploited by attackers that can force other users
to run eog on their behalf, either locally or remotely.
This vulnerability can be exploited, for example, by abusing Mail User
Agents that use /etc/mailcap entries to determine how to display images.
Some vendors are known to ship their /etc/mailcap with EOG as the default
image viewer.
The mailcap format is formally defined by RFC 1524. A mailcap file is a
configuration file that maps MIME types to external viewers (MIME is
defined by RFC 1521). It was originally aimed to mail reader user agents
but it was later adopted by several other applications.
Under RedHat 8.0 distributions, EOG is the default viewer when
applications cannot handle certain images format:
-------- begin /etc/mailcap entry
###
### Begin Red Hat Mailcap
###
audio/mod; /usr/bin/mikmod %s
# play is apparently a security hole
#audio/*; /usr/bin/play %s
image/*; eog %s
------------ end /etc/mailcap entry
As shown below, EOG is used for all the image MIME types. "image/gif" and
"image/tiff" are some of the examples of valid MIME types that will be
displayed using EOG.
Mutt and Mozilla are some applications that will use the /etc/mailcap file
depending on the MIME type sent by the attacker. Mozilla, for example,
does not display tiff images inside web pages. In order to view them, the
user must right click the image and the browser will pop up a dialog box
asking whether the user wants to save or view such image. It is worth to
notice that the target filename is not shown in this dialog. The following
example shows a web page that will hang EOG when invoked from within
Mozilla:
------------------------------------
< html>
< head>
< title> TEST </title>
< /head>
< img width=400 height=50 src="/tmp/%nbye.tif" type="image/tiff">
< /table>
< /html>
------------------------------------
Successful exploitation in the case above requires from the attacker the
ability to construct a filename with properly encoded shellcode and place
it either in the local file system or on a server under the attacker's
control.
Solution/Vendor Information/Workaround:
Updated versions will be at
<ftp://ftp.gnome.org/pub/GNOME/sources/eog/2.2>
ftp.gnome.org/pub/GNOME/sources/eog/2.2
Vendors contacted:
CORE Notification: 2003-03-14
Notification acknowledged by EOG maintainer: 2003-03-14
Fixes provided by EOG maintainer: 2003-03-19
Fixed version of EOG released: 2003-03-27
ADDITIONAL INFORMATION
The original advisory can be downloaded from:
<http://www.coresecurity.com/common/showdoc.php?idx=312&idxseccion=10>
http://www.coresecurity.com/common/showdoc.php?idx=312&idxseccion=10
The information has been provided by <mailto:advisories@coresecurity.com>
CORE Security Technologies Advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Mod_Survey ENV Tag Security Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
