exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Mar 29, 2003
Site coresecurity.com

CORE Security Technologies Advisory - A vulnerability exists in GNOME's Eye of Gnome versions 2.2.0 and below that is locally exploitable. When EOG is used as a default image viewer, it takes in the image name as a command line argument and in turn can execute arbitrary commands with the privileges of the user attempting to view the image.

tags | exploit, arbitrary
SHA-256 | 1950228f33b065eb6ab55bc204fca15b96faec949e0b20489cd4de91304831bb


Change Mirror Download
                       Core Security Technologies Advisory

Vulnerability in GNOME's Eye of Gnome

Date Published: 2003-03-28

Last Update: 2003-03-27

Advisory ID: CORE-2003-0304-03

Bugtraq ID: 7121

CVE Name: CAN-2003-0165

Title: GNOME's Eye Of Gnome incorrect file name handling

Class: Input validation error

Remotely Exploitable: No

Locally Exploitable: Yes

Advisory URL:

Vendors contacted:
- Eye Of Gnome
. CORE Notification: 2003-03-14
. Notification aknowledged by EOG maintainer: 2003-03-14
. Fixes provided by EOG maintainer: 2003-03-19
. Fixed version of EOG released: 2003-03-27


*Vulnerability Description:*

The Eye Of Gnome (EOG for short) is an image viewer, as well as an
image cataloging program. EOG is part of the GNOME desktop and is
bundled with all major Linux distributions.

A vulnerability was found in this application that could lead to the
execution of arbitrary code with the privileges of the user
running EOG. This vulnerability can be exploited from within
email clients (MUAs) that use EOG as default for image viewing.

*Vulnerable Packages:*

Version 2.2.0 and previous versions are vulnerable.

*Solution/Vendor Information/Workaround:*

Updated versions will be at ftp.gnome.org/pub/GNOME/sources/eog/2.2


This vulnerability was found by Diego Kelyacoubian, Javier Kohen,
Alberto Solino and Juan Vera from Core Security Technologies
during Bugweek 2003 (March 3-7, 2003).

We wish to thank Federico Mena Quintero, GNOME eog developer,
for his quick response to this issue.

*Technical Description - Exploit/Concept Code:*

EOG receives the filename of the image to display as a command
line argument. The program fails to validate it argument and
and handle format string specifiers. By providing a specially
crafted filename an attacker could force eog to execute arbitary
commands with the privileges of the user running it.

The following line demostrates the problem:

$ /usr/bin/eog this_is_an_invalid_file_%n%n

After which eog will crash with the following message:

"Application "eog" (process 4420) has crashed due to a fatal error
(Segmentation Fault)"
Please visit the GNOME Application Crash page for more information

Although this vulnerability does not seem relevant by itself, as we
will show below, it could be exploited by attackers that can force
other users to run eog on their behalf, either locally or remotely.

This vulnerability can be exploited, for example, by abusing Mail
User Agents that use /etc/mailcap entries to determine how to
display images.

Some vendors are known to ship their /etc/mailcap with EOG as the
default image viewer.

The mailcap format is formally defined by RFC 1524. A mailcap file is
a configuration file that maps MIME types to external viewers (MIME
is defined by RFC 1521). It was originaly aimed to mail reader user
agents but it was later adopted by several other applications.

Under RedHat 8.0 distributions EOG is the default viewer when
applications cannot handle certain images format:

-------- begin /etc/mailcap entry
### Begin Red Hat Mailcap

audio/mod; /usr/bin/mikmod %s
# play is apparently a security hole
#audio/*; /usr/bin/play %s

image/*; eog %s
------------ end /etc/mailcap entry

As shown below, EOG is used for all the image MIME types.
"image/gif" and "image/tiff" are some of the examples of valid MIME
types that will be displayed using EOG.

Mutt and Mozilla are some applications that will use the /etc/mailcap
file depending on the MIME type sent by the attacker. Mozilla, for
example, doesn't display tiff images inside web pages.
In order to view them, the user must right click the image and the
browser will pop up a dialog box asking whether the user wants to
save or view such image. It is worth to notice that the target
filename is not shown in this dialog. The following example shows a
web page that will hang EOG when invoqued from within Mozilla:

<title> TEST </title>
<img width=400 height=50 src="/tmp/%nbye.tif" type="image/tiff">

Sucessfull exploitation in the case above requires from the attacker
the ability to craft a filename with proprly encoded shellcode and
place it either in the local file system or on a server under the
attacker's control.

*About Core Security Technologies*

Core Security Technologies develops strategic security solutions for
Fortune 1000 corporations, government agencies and military
organizations. The company offers information security software and
services designed to assess risk and protect and manage information
Headquartered in Boston, MA, Core Security Technologies can be reached
at 617-399-6980 or on the Web at http://www.coresecurity.com.

To learn more about CORE IMPACT, the first comprehensive penetration
testing framework, visit http://www.coresecurity.com/products/coreimpact


The contents of this advisory are copyright (c) 2003 CORE Security
Technologies and may be distributed freely provided that no fee is
charged for this distribution and proper credit is given.

$Id: eog-advisory.txt,v 1.12 2003/03/27 22:07:35 carlos Exp $

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By