[Evolution] [Fwd: iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv]

[Kenneth Porter <shiva sewingwitch com>]

Forwarded from the DShield list. Relevant if you have gv configured as
your PDF viewer:

-----Forwarded Message-----

From: Samantha Fetter <sama snowplow org>
To: list dshield org
Subject: [Dshield] Fw: iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv
Date: 26 Sep 2002 14:00:55 -0500

Passing this on...........

iDEFENSE Security Advisory 09.26.2002
Exploitable Buffer Overflow in gv

DESCRIPTION

The gv program that is shipped on many Unix systems contains a buffer
overflow which can be exploited by an attacker sending a malformed
postscript or Adobe pdf file. The attacker would be able to cause
arbitrary code to run with the privileges of the victim on his Linux
computer. The gv program is a PDF and postscript viewing program for
Unix which interfaces with the ghostscript interpreter. It is
maintained at http://wwwthep.physik.uni-mainz.de/~plass/gv/ by
Johannes Plass.  This particular security vulnerability occurs in the
source code where an unsafe sscanf() call is used to interpret
PostScript and PDF files.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2001-0832 to this issue.


ANALYSIS

In order to perform exploitation, an attacker would have to trick a
user into viewing a malformed PDF or PostScript file from the command
line. This may be somewhat easier for Unix based email programs that
associate gv with email attachments. Since gv is not normally
installed setuid root, an attacker would only be able to cause
arbitrary code to run with the privileges of that user.  Other
programs that utilize derivatives of gv, such as ggv or kghostview,
may also be vulnerable in similiar ways.

A proof of concept exploit for Red Hat Linux designed by zen-parse is
attached to this message.  It packages the overflow and shellcode in
the "%%PageOrder:" section of the PDF.

[root victim]# ls -al /tmp/itworked
/bin/ls: /tmp/itworked: No such file or directory
[root victim]# gv gv-exploit.pdf
[root victim]# ls -al /tmp/itworked
- -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked
[root victim]#


DETECTION

This vulnerability affects the latest version of gv, 3.5.8. An
exploit has been tested on Red Hat Linux 7.3.


WORKAROUND

To avoid potential exploitation, users can select alternatives to gv
such as Kghostview (included with the KDE desktop environment) for
instance. Additionally, the vulnerability does not seem to be
exploitable when a file is opened from the gv interface instead of
the command line.


VENDOR RESPONSE

The author could not be contacted, and the main home page has not
been updated since 1997.  Coordinated public disclosure was scheduled
for September 26, 2002 with Unix vendors.


DISCLOSURE TIMELINE

8/23/2002 Disclosed to iDEFENSE
9/6/2002  Disclosed to vendor (plass thep physik uni-mainz de) by
iDEFENSE
9/6/2002  Disclosed to iDEFENSE clients
9/12/2002 Disclosed to Unix vendors
9/13/2002 Second vendor disclosure attempt
9/26/2002 Public Disclosure


CREDIT

This issue was exclusively disclosed to iDEFENSE by zen-parse
(zen-parse gmx net).