# Ghostscript Windows buffer overflows OutputFile and DocumentName
# Discovery date: 25 Jan 2012
# Report date: 03 Feb 2012
# Author: Andrei Costin (andrei@andreicostin.com)
# CVE: Not Avail yet
# Other SecAdv number: ACSA-2012-15

##### Affected module #####
Ghostscript for Windows
    gswin32.exe
    gswin32c.exe
    gsview32.exe

##### Affected versions #####
(latest updated)
Ghostscript 9.04 (and possibly prior versions)

##### Reprod. #####
100%

##### Introduction #####
GhostScript is an interpreter of PostScript and Encapsulated PostScript files.
It is widely deployed on both Windows and *NIX operating system, since it's the established
"de facto" software to process, view, modify .ps/.eps files on these systems.

GhostScript fails to properly sanitize the length of OutputFile and DocumentName parameters
and as such allows attacker-controller buffer overflows as exemplified below:

FAULTING_IP: 
ntdll!wcsncpy+374
7c9108f3 8902            mov     dword ptr [edx],eax
EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7c9108f3 (ntdll!wcsncpy+0x00000374)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 61616161
Attempt to write to address 61616161
BUGCHECK_STR:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_WRONG_SYMBOLS_FILL_PATTERN_61616161
PRIMARY_PROBLEM_CLASS:  STRING_DEREFERENCE_FILL_PATTERN_61616161
DEFAULT_BUCKET_ID:  STRING_DEREFERENCE_FILL_PATTERN_61616161
LAST_CONTROL_TRANSFER:  from 102b7367 to 7c9108f3
STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
0006e140 102b7367 00880000 00000000 00cd8fd8 ntdll!wcsncpy+0x374

##### Attack scenarios #####
A malicious .ps/.eps file is:
 - sent by mail and open for preview by victim - victim host filesystem files can be fingerprinted
 - downloaded from a malicious site and open for preview by victim - victim host filesystem files can be fingerprinted
 - sent for CUPS processing/printing - filesystem files of the machine hosting the CUPS subsystem can be fingerprinted

##### Flaw type #####
Buffer overflow

##### Flaw category #####
Incorrect input handling

##### Mitigation #####
There is no known fix or workaround for this problem.

##### Remediation cost #####
Low

##### Consequences #####
Arbitrary code execution or memory contents

##### Weakness Prevalence #####
N/A

##### Disclosure timelines #####
2012-01-25 - Discovered
2012-02-03 - Reported
2012-04-03 - Fix notification from Secunia under SA47855. Fixed in GhostScript 9.05.