Public Vulnerability Reports

Buffer overflow in gv

09.26.02

BACKGROUND

Johannes Plass's gv allows users to view and navigate PostScript and PDF documents on an X display by providing a user interface for the ghostscript interpreter. The product's web page is available at http://wwwthep.physik.uni-mainz.de/~plass/gv/.

DESCRIPTION

The gv program shipped in many Unix systems contains a buffer overflow that can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker would be able to cause arbitrary code to run with the privileges of the victim on his Linux computer. This particular vulnerability occurs in the source code where an unsafe
sscanf() call is used to interpret PostScript and PDF files.

ANALYSIS

In order to perform exploitation, an attacker must trick a user into viewing a malformed PostScript or PDF file from the command line. This may be somewhat easier for Unix-based e-mail applications that associate gv with e-mail attachments. Since gv is not normally installed setuid root, an attacker would only be able to cause arbitrary
code to run with the privileges of that user. Other programs that utilize derivatives of gv, such as ggv or kghostview, may also be vulnerable in similar ways.

A proof of concept exploit packages the overflow and shellcode in the "%%PageOrder:" section of the PDF.

[root@victim]# ls -al /tmp/itworked
/bin/ls: /tmp/itworked: No such file or directory
[root@victim]# gv gv-exploit.pdf
[root@victim]# ls -al /tmp/itworked
- -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked
[root@victim]#

DETECTION

gv 3.5.8, which runs on Red Hat Linux 7.3, among other operating systems, is affected.

WORKAROUND

Select alternatives to gv such as Kghostview (included with the KDE desktop environment), for instance. Additionally, the vulnerability does not seem to be exploitable when a file is opened from the gv interface instead of the command line.

VENDOR RESPONSE

The author could not be contacted, and the main home page has not been updated since 1997. Coordinated public disclosure with Unix vendors was scheduled for September 26, 2002.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2001-0832 for this issue.

DISCLOSURE TIMELINE

08/23/2002 Issue disclosed to iDEFENSE
09/06/2002 Vendor notified by e-mail to plass@thep.physik.uni-mainz.de
09/06/2002 iDEFENSE clients notified
09/12/2002 Unix vendors notified
09/13/2002 Second attempt made to notify Unix vendors
09/26/2002 Issue disclosed to public

CREDIT

zen-parse (zen-parse@gmx.net) is credited with discovering this vulnerability.