[NEWS] Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Multiple Vendor ImageMagick DCM and XWD Buffer Overflow Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://www.imagemagick.org/> ImageMagick is "used as a suite of image
manipulation tools (animate, composite, conjure, convert, display,
identify, import, mogrify, and montage) which are sometimes used by other
applications for processing image files".

Remote exploitation of several buffer overflow vulnerabilities in
ImageMagick, as included in various vendors' operating system
distributions, allows attackers to execute arbitrary code with the
credentials used for image processing.

DETAILS

Vulnerable Systems:
* ImageMagick version 6.3.x.
* Additionally, the source code for versions 6.3.1, 6.3.2, 6.3.3-3 and
6.2.9 contain the affected code.
* It is suspected that earlier versions of ImageMagick are also
vulnerable.

An integer overflow exists ImageMagick's handling of DCM (Digital Imaging
and Communications in Medicine) format files which allows an attacker to
cause a heap-based buffer overflow. This vulnerability specifically exists
in the ReadDCMImage() function.

Two integer overflows exists ImageMagick's handling of XWD (X Windows
Dump) format files that allows an attacker to cause a heap-based buffer
overflow. The vulnerabilities specifically exist in the ReadXWDImage()
function. An integer overflow could occur when calculating the amount of
memory to allocate for the 'colors' or 'comment' field.

Exploitation of these vulnerabilities allows attackers to execute
arbitrary code in the context of the user that started the affected
program. Since the tools that are part of ImageMagick are sometimes used
as helper tools by web applications, this user may be the same as the
httpd user.

To exploit these vulnerabilities, an attacker would need to get a
maliciously constructed image file processed by one of the affected
applications. This could be accomplished by uploading to a web-application
or using social engineering tactics.

While neither aforementioned format is widely used, ImageMagick does not
determine the file type by its extension, allowing it to be disguised as
another file type.

Workaround:
Exposure to these vulnerabilities can be mitigated by moving or deleting
the DCM and XWD module files from the ImageMagick modules directory.
However, this will remove support for these image formats altogether.

Vendor Status:
The ImageMagick maintainers have addressed these vulnerabilities in
version 6.3.3-5 of ImageMagick.

Disclosure Timeline:
* 02/28/2007 - Initial vendor notification
* 03/20/2007 - Initial vendor response
* 03/31/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=496>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=496



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages