07.29.2010 | STERLING, VA
PUBLIC ADVISORY: 09.26.02
PUBLIC ADVISORY: 09.26.02
PUBLIC ADVISORY: 09.26.02
Buffer overflow in gv
I. BACKGROUND
Johannes Plass's gv allows users to view and navigate PostScript and PDF documents on an X display by providing a user interface for the ghostscript interpreter. The product's web page is available at http://wwwthep.physik.uni-mainz.de/~plass/gv/.
II. DESCRIPTION
The gv program shipped in many Unix systems contains a buffer overflow that can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker would be able to cause arbitrary code to run with the privileges of the victim on his Linux computer. This particular vulnerability occurs in the source code where an unsafe
sscanf() call is used to interpret PostScript and PDF files.
III. ANALYSIS
In order to perform exploitation, an attacker must trick a user into viewing a malformed PostScript or PDF file from the command line. This may be somewhat easier for Unix-based e-mail applications that associate gv with e-mail attachments. Since gv is not normally installed setuid root, an attacker would only be able to cause arbitrary
code to run with the privileges of that user. Other programs that utilize derivatives of gv, such as ggv or kghostview, may also be vulnerable in similar ways.
A proof of concept exploit packages the overflow and shellcode in the "%%PageOrder:" section of the PDF.
[root@victim]# ls -al /tmp/itworked
/bin/ls: /tmp/itworked: No such file or directory
[root@victim]# gv gv-exploit.pdf
[root@victim]# ls -al /tmp/itworked
- -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked
[root@victim]#
IV. DETECTION
gv 3.5.8, which runs on Red Hat Linux 7.3, among other operating systems, is affected.
V. WORKAROUND
Select alternatives to gv such as Kghostview (included with the KDE desktop environment), for instance. Additionally, the vulnerability does not seem to be exploitable when a file is opened from the gv interface instead of the command line.
VI. VENDOR FIX/RESPONSE
The author could not be contacted, and the main home page has not been updated since 1997. Coordinated public disclosure with Unix vendors was scheduled for September 26, 2002.
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2001-0832 for this issue.
VIII. DISCLOSURE TIMELINE
IX. CREDIT
zen-parse (zen-parse@gmx.net) is credited with discovering this vulnerability.
Johannes Plass's gv allows users to view and navigate PostScript and PDF documents on an X display by providing a user interface for the ghostscript interpreter. The product's web page is available at http://wwwthep.physik.uni-mainz.de/~plass/gv/.
II. DESCRIPTION
The gv program shipped in many Unix systems contains a buffer overflow that can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker would be able to cause arbitrary code to run with the privileges of the victim on his Linux computer. This particular vulnerability occurs in the source code where an unsafe
sscanf() call is used to interpret PostScript and PDF files.
III. ANALYSIS
In order to perform exploitation, an attacker must trick a user into viewing a malformed PostScript or PDF file from the command line. This may be somewhat easier for Unix-based e-mail applications that associate gv with e-mail attachments. Since gv is not normally installed setuid root, an attacker would only be able to cause arbitrary
code to run with the privileges of that user. Other programs that utilize derivatives of gv, such as ggv or kghostview, may also be vulnerable in similar ways.
A proof of concept exploit packages the overflow and shellcode in the "%%PageOrder:" section of the PDF.
[root@victim]# ls -al /tmp/itworked
/bin/ls: /tmp/itworked: No such file or directory
[root@victim]# gv gv-exploit.pdf
[root@victim]# ls -al /tmp/itworked
- -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked
[root@victim]#
IV. DETECTION
gv 3.5.8, which runs on Red Hat Linux 7.3, among other operating systems, is affected.
V. WORKAROUND
Select alternatives to gv such as Kghostview (included with the KDE desktop environment), for instance. Additionally, the vulnerability does not seem to be exploitable when a file is opened from the gv interface instead of the command line.
VI. VENDOR FIX/RESPONSE
The author could not be contacted, and the main home page has not been updated since 1997. Coordinated public disclosure with Unix vendors was scheduled for September 26, 2002.
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2001-0832 for this issue.
VIII. DISCLOSURE TIMELINE
| 8/23/2002 | Issue disclosed to iDEFENSE |
| 9/6/2002 | Vendor notified by e-mail to plass@thep.physik.uni-mainz.de |
| 9/6/02 | iDEFENSE clients notified |
| 9/12/2002 | Unix vendors notified |
| 9/13/02 | Second attempt made to notify Unix vendors |
| 9/26/02 | Issue disclosed to public |
IX. CREDIT
zen-parse (zen-parse@gmx.net) is credited with discovering this vulnerability.
Vulnerability Advisories: 