ImageMagick BMP Coder Out-Of-Bounds Write Vulnerability

2016.09.26
Credit: pwchen(陈佩文)
Risk: High
Local: No
Remote: Yes
CVE: CVE-2016-6823
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Hi. This is PwChen of Tencent's Xuanwu Lab & RayZhong of Tencent's Keen Lab. During our research, we found an Out-Of-Bounds write vulnerability in ImageMagick's BMP coders. When ImageMagick is converting other format to BMP format, it will pass image's height and width parameter into 'BMP coder'. There is an arithmetic overflow vulnerability when the BMP coder is calculating the image size by multiplying the height and width. This can directly cause an Out-Of-Bounds Write. The ImageMagick team has fixed the vulnerability we reported. Attached is a proof of concept. python -c 'print "P3\x0a14096\x201048576\x0a255\x00"' > PoC.ppm convert PoC.ppm crash.bmp Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/e7094d16cd8aee6bb48cf1d369f617f7edf89993 https://github.com/ImageMagick/ImageMagick/commit/4cc6ec8a4197d4c008577127736bf7985d632323 Debian Bug report: https://bugs.debian.org/834504 Regards, Peiwen Chen Tencent's Xuanwu Lab

References:

https://github.com/ImageMagick/ImageMagick/commit/e7094d16cd8aee6bb48cf1d369f617f7edf89993
https://github.com/ImageMagick/ImageMagick/commit/4cc6ec8a4197d4c008577127736bf7985d632323
https://bugs.debian.org/834504


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top