VeriSign, Inc.® US Home | Worldwide Sites | Site Map
Products & Services Solutions Support About VeriSign Login for existing VeriSign customers
You Are Here: US Home > VeriSign iDefense Security Intelligence Service > Current Intelligence > Vulnerability Advisories > 2002 > 09.26.02

Buffer overflow in gv

I. BACKGROUND

Johannes Plass's gv allows users to view and navigate PostScript and PDF documents on an X display by providing a user interface for the ghostscript interpreter. The product's web page is available at http://wwwthep.physik.uni-mainz.de/~plass/gv/.

II. DESCRIPTION

The gv program shipped in many Unix systems contains a buffer overflow that can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker would be able to cause arbitrary code to run with the privileges of the victim on his Linux computer. This particular vulnerability occurs in the source code where an unsafe
sscanf() call is used to interpret PostScript and PDF files.

III. ANALYSIS

In order to perform exploitation, an attacker must trick a user into viewing a malformed PostScript or PDF file from the command line. This may be somewhat easier for Unix-based e-mail applications that associate gv with e-mail attachments. Since gv is not normally installed setuid root, an attacker would only be able to cause arbitrary
code to run with the privileges of that user. Other programs that utilize derivatives of gv, such as ggv or kghostview, may also be vulnerable in similar ways.

A proof of concept exploit packages the overflow and shellcode in the "%%PageOrder:" section of the PDF.

[root@victim]# ls -al /tmp/itworked
/bin/ls: /tmp/itworked: No such file or directory
[root@victim]# gv gv-exploit.pdf
[root@victim]# ls -al /tmp/itworked
- -rw-r--r-- 1 root root 0 Aug 22 16:50 /tmp/itworked
[root@victim]#

IV. DETECTION

gv 3.5.8, which runs on Red Hat Linux 7.3, among other operating systems, is affected.

V. WORKAROUND

Select alternatives to gv such as Kghostview (included with the KDE desktop environment), for instance. Additionally, the vulnerability does not seem to be exploitable when a file is opened from the gv interface instead of the command line.

VI. VENDOR FIX/RESPONSE

The author could not be contacted, and the main home page has not been updated since 1997. Coordinated public disclosure with Unix vendors was scheduled for September 26, 2002.

VII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project assigned the identification number CAN-2001-0832 for this issue.

VIII. DISCLOSURE TIMELINE

8/23/2002 Issue disclosed to iDEFENSE
9/6/2002 Vendor notified by e-mail to plass@thep.physik.uni-mainz.de
9/6/02 iDEFENSE clients notified
9/12/2002 Unix vendors notified
9/13/02 Second attempt made to notify Unix vendors
9/26/02 Issue disclosed to public


IX. CREDIT

zen-parse (zen-parse@gmx.net) is credited with discovering this vulnerability.


Need more information?
Speak with a service representative at 650-426-5310 Request information online


Contact Us
Please contact sales at
650-426-5310 or
submit your inquiry online.
VeriSign iDefense Security Intelligence Service
Security Intelligence Service Levels
Alerts, Reports, and Briefings
Methodology
Research and Response Teams
Current Intelligence
Topical Research Reports
Vulnerability Advisories
Malicious Code Advisories
Information Center
Security Intelligence Webcasts
Proactive Security Intelligence
Intelligence for Patch Management
Early Threat Warning
Contact Us Careers Legal Notices Privacy Repository ©1995-2007 VeriSign, Inc. All rights reserved.
Products & Services  :  Solutions  :  Support  :  About VeriSign  :  Existing Customers
US Home  :  Worldwide Sites  :  Site Map  :  Search
VeriSign (Nasdaq: VRSN) operates intelligent infrastructure services that enable and protect billions of interactions across the world's voice and data networks. VeriSign offerings include SSL Certificates, two-factor authentication, identity protection, managed network security, public key infrastructure (PKI), security consulting, information management, as well as solutions for intelligent communications, commerce, and content. VeriSign is also building next-generation service offerings for emerging opportunities such as RFID-enabled supply chains, VoIP technology, and digital-content distribution over mobile and broadband networks.