[UNIX] Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 01/18/05

  • Next message: SecuriTeam: "[NT] Netegrity SiteMinder smpwservicescgi.exe Target Redirection" 
    To: list@securiteam.com
Date: 18 Jan 2005 12:04:46 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow
    Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.imagemagick.org> ImageMagick provides "a variety of graphics
    image-handling libraries and capabilities. These libraries are widely used
    and are shipped by default on most Unix and Linux distributions. These
    libraries are commonly installed by default on computers where any other
    graphical image viewer or X Desktop environment is installed (such as
    Gnome or KDE)".

    Remote exploitation of a buffer overflow vulnerability in the
    ImageMagick's Project's ImageMagick PSD image-decoding module could allow
    an attacker to execute arbitrary code.

    DETAILS

    Vulnerable Systems:
     * ImageMagick version 6.1.7 and prior

    Immune Systems:
     * ImageMagick version 6.1.8-8 or newer

    A heap overflow exists within ImageMagick, specifically in the decoding of
    Photoshop Document (PSD) files. The vulnerable code follows:

    ImageMagick-6.1.0/coders/psd.c
    for (j=0; j < (long) layer_info[i].channels; j++)
    {
      layer_info[i].channel_info[j].type=(short)ReadBlobMSBShort(image);
      layer_info[i].channel_info[j].size=ReadBlobMSBLong(image);
      [...]
    }

    The array channel_info is only 24 elements large, and the loop variable,
    "j", is bounded by a user-supplied value from the image file, thus
    allowing a heap overflow to occur when more than 24 layers are specified.
    If heap structures are overflowed in a controlled way, execution of
    arbitrary code is possible.

    Analysis:
    Exploitation may allow attackers to run arbitrary code on a victim's
    computer if the victim opens a specially formatted image. Such images
    could be delivered by e-mail or HTML, in some cases, and would likely not
    raise suspicion on the victim's part. Exploitation is also possible when a
    web-based application uses ImageMagick to process user-uploaded image
    files.

    Vendor response:
    This vulnerability is addressed in ImageMagick 6.1.8-8, available for
    download at: <http://www.imagemagick.org/www/download.html>
    http://www.imagemagick.org/www/download.html

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0005>
    CAN-2005-0005

    Disclosure timeline:
    12/21/2004 - Initial vendor notification
    01/14/2004 - Initial vendor response
    01/17/2005 - Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:customerservice@idefense.com> iDEFENSE. The vulnerability has been
    discovered by Andrei Nigmatulin.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=184&type=vulnerabilities&flashstatus=true> http://www.idefense.com/application/poi/display?id=184&type=vulnerabilities&flashstatus=true

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Netegrity SiteMinder smpwservicescgi.exe Target Redirection"

    Relevant Pages