Core Security Technologies Advisory http://www.coresecurity.com Vulnerability in GNOME's Eye of Gnome Date Published: 2003-03-28 Last Update: 2003-03-27 Advisory ID: CORE-2003-0304-03 Bugtraq ID: 7121 CVE Name: CAN-2003-0165 Title: GNOME's Eye Of Gnome incorrect file name handling Class: Input validation error Remotely Exploitable: No Locally Exploitable: Yes Advisory URL: http://www.coresecurity.com/common/showdoc.php?idx=312&idxseccion=10 Vendors contacted: - Eye Of Gnome . CORE Notification: 2003-03-14 . Notification aknowledged by EOG maintainer: 2003-03-14 . Fixes provided by EOG maintainer: 2003-03-19 . Fixed version of EOG released: 2003-03-27 Release Mode: COORDINATED RELEASE *Vulnerability Description:* The Eye Of Gnome (EOG for short) is an image viewer, as well as an image cataloging program. EOG is part of the GNOME desktop and is bundled with all major Linux distributions. A vulnerability was found in this application that could lead to the execution of arbitrary code with the privileges of the user running EOG. This vulnerability can be exploited from within email clients (MUAs) that use EOG as default for image viewing. *Vulnerable Packages:* Version 2.2.0 and previous versions are vulnerable. *Solution/Vendor Information/Workaround:* Updated versions will be at ftp.gnome.org/pub/GNOME/sources/eog/2.2 *Credits:* This vulnerability was found by Diego Kelyacoubian, Javier Kohen, Alberto Solino and Juan Vera from Core Security Technologies during Bugweek 2003 (March 3-7, 2003). We wish to thank Federico Mena Quintero, GNOME eog developer, for his quick response to this issue. *Technical Description - Exploit/Concept Code:* EOG receives the filename of the image to display as a command line argument. The program fails to validate it argument and and handle format string specifiers. By providing a specially crafted filename an attacker could force eog to execute arbitary commands with the privileges of the user running it. The following line demostrates the problem: $ /usr/bin/eog this_is_an_invalid_file_%n%n After which eog will crash with the following message: "Application "eog" (process 4420) has crashed due to a fatal error (Segmentation Fault)" Please visit the GNOME Application Crash page for more information Although this vulnerability does not seem relevant by itself, as we will show below, it could be exploited by attackers that can force other users to run eog on their behalf, either locally or remotely. This vulnerability can be exploited, for example, by abusing Mail User Agents that use /etc/mailcap entries to determine how to display images. Some vendors are known to ship their /etc/mailcap with EOG as the default image viewer. The mailcap format is formally defined by RFC 1524. A mailcap file is a configuration file that maps MIME types to external viewers (MIME is defined by RFC 1521). It was originaly aimed to mail reader user agents but it was later adopted by several other applications. Under RedHat 8.0 distributions EOG is the default viewer when applications cannot handle certain images format: -------- begin /etc/mailcap entry ### ### Begin Red Hat Mailcap ### audio/mod; /usr/bin/mikmod %s # play is apparently a security hole #audio/*; /usr/bin/play %s image/*; eog %s ------------ end /etc/mailcap entry As shown below, EOG is used for all the image MIME types. "image/gif" and "image/tiff" are some of the examples of valid MIME types that will be displayed using EOG. Mutt and Mozilla are some applications that will use the /etc/mailcap file depending on the MIME type sent by the attacker. Mozilla, for example, doesn't display tiff images inside web pages. In order to view them, the user must right click the image and the browser will pop up a dialog box asking whether the user wants to save or view such image. It is worth to notice that the target filename is not shown in this dialog. The following example shows a web page that will hang EOG when invoqued from within Mozilla: ------------------------------------ TEST ------------------------------------ Sucessfull exploitation in the case above requires from the attacker the ability to craft a filename with proprly encoded shellcode and place it either in the local file system or on a server under the attacker's control. *About Core Security Technologies* Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets. Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com. To learn more about CORE IMPACT, the first comprehensive penetration testing framework, visit http://www.coresecurity.com/products/coreimpact *DISCLAIMER:* The contents of this advisory are copyright (c) 2003 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given. $Id: eog-advisory.txt,v 1.12 2003/03/27 22:07:35 carlos Exp $