[Full-disclosure] GNU gv Stack Overflow Vulnerability
2006-11-09T00:00:00
ID SECURITYVULNS:DOC:14987 Type securityvulns Reporter Securityvulns Modified 2006-11-09T00:00:00
Description
GNU gv Stack Overflow Vulnerability
//----- Advisory
Program : GNU gv
Homepage : http://www.gnu.org/software/gv/
Tested version : 3.6.2
Found by : r.lifchitz at sysdream dot com
This advisory : r.lifchitz at sysdream dot com
Discovery date : 2006/11/06
Vendor notified : 2006/11/09
//----- Application description
gv is a comfortable viewer of PostScript and PDF files for the X
Window System. It uses the ghostscript PostScript interpreter
and is based on the classic X front-end for gs, ghostview, which
it has replaced now.
//----- Description of vulnerability
The 'gv' viewer is prone to a remote stack overflow
vulnerability. This issue exists because the application fails
to perform proper boundary checks before copying user-supplied
data into process buffers. A remote attacker may execute arbitrary
code in the context of a user running the application. As a result,
the attacker can gain unauthorized access to the vulnerable computer.
This issue is present itself in the 'ps_gettext()' function residing
in the 'ps.c' file.
Long comments in some specific headers (such as '%%DocumentMedia:')
of PS files are unconditionally copied into 'text', a 257 character
buffer on the stack.
This issue is reported to affect gv 3.6.2, but earlier versions are
likely prone to this vulnerability as well. Applications using embedded
gv code may also be vulnerable.
//----- Proof Of Concept
Linux IA32 Reverse TCP Shell on 192.168.110.247:4321 (uuencoded
exploit) :
Use:
$ uudecode < this-advisory.txt
to extract the exploit.
//----- Solution
No known solution. You have to wait for a vendor upgrade and
be careful with unknown PS files.
//----- Impact
Successful exploitation leads to remote code execution.
//----- Credits
Renaud Lifchitz
r.lifchitz at sysdream dot com
http://www.sysdream.com/
//----- Greetings
Thanks to Ali Rahbar
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
{"id": "SECURITYVULNS:DOC:14987", "bulletinFamily": "software", "title": "[Full-disclosure] GNU gv Stack Overflow Vulnerability", "description": "GNU gv Stack Overflow Vulnerability\r\n\r\n\r\n//----- Advisory\r\n\r\n\r\nProgram : GNU gv\r\nHomepage : http://www.gnu.org/software/gv/\r\nTested version : 3.6.2\r\nFound by : r.lifchitz at sysdream dot com\r\nThis advisory : r.lifchitz at sysdream dot com\r\nDiscovery date : 2006/11/06\r\nVendor notified : 2006/11/09\r\n\r\n\r\n//----- Application description\r\n\r\n\r\ngv is a comfortable viewer of PostScript and PDF files for the X\r\nWindow System. It uses the ghostscript PostScript interpreter\r\nand is based on the classic X front-end for gs, ghostview, which\r\nit has replaced now.\r\n\r\n\r\n//----- Description of vulnerability\r\n\r\n\r\nThe 'gv' viewer is prone to a remote stack overflow\r\nvulnerability. This issue exists because the application fails\r\nto perform proper boundary checks before copying user-supplied\r\ndata into process buffers. A remote attacker may execute arbitrary\r\ncode in the context of a user running the application. As a result,\r\nthe attacker can gain unauthorized access to the vulnerable computer.\r\n\r\nThis issue is present itself in the 'ps_gettext()' function residing\r\nin the 'ps.c' file.\r\n\r\nLong comments in some specific headers (such as '%%DocumentMedia:')\r\nof PS files are unconditionally copied into 'text', a 257 character\r\nbuffer on the stack.\r\n\r\nThis issue is reported to affect gv 3.6.2, but earlier versions are\r\nlikely prone to this vulnerability as well. Applications using embedded\r\ngv code may also be vulnerable.\r\n\r\n\r\n//----- Proof Of Concept\r\n\r\n\r\n* Linux IA32 Reverse TCP Shell on 192.168.110.247:4321 (uuencoded\r\nexploit) :\r\n\r\n\r\n\r\nUse:\r\n$ uudecode < this-advisory.txt\r\nto extract the exploit.\r\n\r\n\r\n//----- Solution\r\n\r\n\r\nNo known solution. You have to wait for a vendor upgrade and\r\nbe careful with unknown PS files.\r\n\r\n\r\n//----- Impact\r\n\r\n\r\nSuccessful exploitation leads to remote code execution.\r\n\r\n\r\n//----- Credits\r\n\r\n\r\nRenaud Lifchitz\r\nr.lifchitz at sysdream dot com\r\nhttp://www.sysdream.com/\r\n\r\n\r\n//----- Greetings\r\n\r\n\r\nThanks to Ali Rahbar\r\n\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "published": "2006-11-09T00:00:00", "modified": "2006-11-09T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14987", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:20", "edition": 1, "viewCount": 2, "enchantments": {"score": {"value": 7.3, "vector": "NONE", "modified": "2018-08-31T11:10:20", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-2595", "CVE-2019-14987", "CVE-2018-14987", "CVE-2015-9286", "CVE-2008-7273", "CVE-2008-7272"]}, {"type": "seebug", "idList": ["SSV:96940"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:143364"]}, {"type": "zdt", "idList": ["1337DAY-ID-28127"]}, {"type": "exploitdb", "idList": ["EDB-ID:42323"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:B20DA18CEAD586433CABB4E6641F9862"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:32652", "SECURITYVULNS:DOC:32654", "SECURITYVULNS:DOC:32653", "SECURITYVULNS:VULN:14755", "SECURITYVULNS:VULN:14753", "SECURITYVULNS:DOC:32651", "SECURITYVULNS:VULN:14720", "SECURITYVULNS:DOC:32660", "SECURITYVULNS:DOC:32658"]}], "modified": "2018-08-31T11:10:20", "rev": 2}, "vulnersScore": 7.3}, "affectedSoftware": []}
{"rst": [{"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.2** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-21T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-21T00:00:00", "id": "RST:5802D69A-1D6E-3045-B889-91379BC4F748", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.2", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.4** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-23T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-23T00:00:00", "id": "RST:26A00B16-5914-3055-BF90-379BB4798EFA", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.4", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.14** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **12**.\n First seen: 2020-12-21T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-21T00:00:00", "id": "RST:B66D1020-8AF0-3FD5-9660-A1E4A258F8A1", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.14", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.18** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2019-09-29T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-09-29T00:00:00", "id": "RST:818B2C5C-7E19-3E54-A718-C262D80BFCA2", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.18", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.21** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2019-09-29T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-09-29T00:00:00", "id": "RST:988286E0-BE5C-3929-8DBB-62A9EB19CDC8", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.21", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.22** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2019-09-29T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-09-29T00:00:00", "id": "RST:5C51FCC9-F1F9-314E-9A2D-5CC375600894", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.22", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.23** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2019-09-29T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-09-29T00:00:00", "id": "RST:BDC96DD7-15E3-3ECB-AABC-56626695085F", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.23", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.25** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2019-09-29T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-09-29T00:00:00", "id": "RST:2A990C89-0FD6-3AD8-B2E7-4195767872EA", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.25", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.26** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2019-09-29T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-09-29T00:00:00", "id": "RST:04F75A55-BC3A-3CD2-9599-0803061AAB86", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.26", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-06T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **104[.]152.52.28** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **2**.\n First seen: 2019-09-29T03:00:00, Last seen: 2021-03-06T03:00:00.\n IOC tags: **shellprobe, generic**.\nASN 14987: (First IP 104.152.52.0, Last IP 104.152.55.255).\nASN Name \"RETHEMHOSTING\" and Organisation \"Rethem Hosting LLC\".\nASN hosts 38 domains.\nGEO IP information: City \"\", Country \"United States\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2019-09-29T00:00:00", "id": "RST:26B19F10-91DC-335E-970E-E72E492A42E5", "href": "", "published": "2021-03-07T00:00:00", "title": "RST Threat feed. IOC: 104.152.52.28", "type": "rst", "cvss": {}}]}
