lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 14 Jul 2003 11:31:43 -0000 From: Angelo Rosiello <guilecool@....com> To: bugtraq@...urityfocus.com Subject: ImageMagick's Overflow ImageMagick's Overflow Rosiello Security's Advisory & DTORS http://www.rosiello.org I. BACKGROUND The ImageMagick (display) is an image viewer. ImageMagick is part of the KDE desktop and is bundled with all major Linux distributions. II. DESCRIPTION A vulnerability was found in this application that could lead to the execution of arbitrary code with the privileges of the user running the program. This vulnerability can be exploited from within email clients that use ImageMagick as default for image viewing. It is possible that an user could load the "malicious" file directly,exploiting him self. III. ANALYSYS Class: Input validation error Remotely Exploitable: No Locally Exploitable: Yes but hardly Exploitation can provide local attackers with user access to an affected system. The following shows how the "malicious" file can cause the crash of ImageMagick. [root@...alhost root]# ls -l /usr/X11R6/bin/display -rwxr-xr-x 1 root root 30564 Mar 14 2002 /usr/X11R6/bin/display [root@...alhost root]# touch %x [root@...alhost root]# gdb display (gdb) r Starting program: /usr/X11R6/bin/display [New Thread 1024 (LWP 757)] At this point open the file "%x" via ImageMagick. On the gdb prompt you will see the following: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 757)] 0x4003cf0b in SetExceptionInfo () from /usr/X11R6/lib/libMagick.so.5 (gdb) IV. DETECTION All distributions supporting ImageMagick are affected. Red Hat, Mandrake, Suse and maybe others. Vulnerable Packages: Up to 5.4.3.x, all versions are vulnerable but the last one. Mainteiners were informed and consented about this Advisory. VI. CREDITS This vulnerability was found by Angelo Rosiello. http://www.rosiello.org & http://www.dtors.net CONTACT: angelo@...iello.org
Powered by blists - more mailing lists