SecuriTeam - Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

ImageMagick provides "a variety of graphics image-handling libraries and capabilities. These libraries are widely used and are shipped by default on most Unix and Linux distributions. These libraries are commonly installed by default on computers where any other graphical image viewer or X Desktop environment is installed (such as Gnome or KDE)".

Remote exploitation of a buffer overflow vulnerability in the ImageMagick's Project's ImageMagick PSD image-decoding module could allow an attacker to execute arbitrary code.

Credit:
The information has been provided by iDEFENSE. The vulnerability has been discovered by Andrei Nigmatulin.
The original article can be found at: http://www.idefense.com/application/poi/display?id=184&type=vulnerabilities&flashstatus=true

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* ImageMagick version 6.1.7 and prior

Immune Systems:
* ImageMagick version 6.1.8-8 or newer

A heap overflow exists within ImageMagick, specifically in the decoding of Photoshop Document (PSD) files. The vulnerable code follows:

ImageMagick-6.1.0/coders/psd.c
for (j=0; j < (long) layer_info[i].channels; j++)
{
  layer_info[i].channel_info[j].type=(short)ReadBlobMSBShort(image);
  layer_info[i].channel_info[j].size=ReadBlobMSBLong(image);
  [...]
}

The array channel_info is only 24 elements large, and the loop variable, "j", is bounded by a user-supplied value from the image file, thus allowing a heap overflow to occur when more than 24 layers are specified. If heap structures are overflowed in a controlled way, execution of arbitrary code is possible.

Analysis:
Exploitation may allow attackers to run arbitrary code on a victim's computer if the victim opens a specially formatted image. Such images could be delivered by e-mail or HTML, in some cases, and would likely not raise suspicion on the victim's part. Exploitation is also possible when a web-based application uses ImageMagick to process user-uploaded image files.

Vendor response:
This vulnerability is addressed in ImageMagick 6.1.8-8, available for download at: http://www.imagemagick.org/www/download.html

CVE Information:
CAN-2005-0005

Disclosure timeline:
12/21/2004 - Initial vendor notification
01/14/2004 - Initial vendor response
01/17/2005 - Public disclosure

	Apple Webkit Blink Event Dangling Pointer Remote Code Execution Vulnerability
	Microsoft Virtual PC Hypervisor Memory Protection Vulnerability
	Apple WebKit HTML Element Use After Free Vulnerability
	Apple WebKit CSS Run-in Attribute Rendering Vulnerability
	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities
	APC Switched Rack PDU XSS Vulnerability
	HP-UX Running OpenSSL Unauthorized Data Injection and Denial of Service
	HP OpenView NNM snmpviewer.exe CGI Host Header Stack Overflow Vulnerability
	HP OpenView NNM ovwebsnmpsrv.exe OVwSelection Stack Overflow Vulnerability
	HP-UX Running VRTSweb Remote Execution of Arbitrary Code and Privilege Escalation
	FreeBSD SSL and TLS Session Renegotiation vulnerability