imagemagick mogrify global buffer overflow

Published
Credit
Risk
2016.10.01
Marco Grassi
High
CWE
CVE
Local
Remote
CWE-119
N/A
No
Yes

Hi,

imagemagick identify suffers of a global buffer overflow issue, which I
reported and has been patched, you can find a reproducer in the github bug
tracker issue link

issue: https://github.com/ImageMagick/ImageMagick/issues/280
patch:
https://github.com/ImageMagick/ImageMagick/commit/a7bb158b7bedd1449a34432feb3a67c8f1873bfa

Thanks,

Marco Grassi (@marcograss) of Tencent's Keen Lab

➜ utilities git:(master) ✗ ./magick mogrify
../../ImageMagick_bugs/mogrify_gbof~~

==26125==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000037a74fc at pc 0x00000077c9ba bp 0x7ffdffbaac70 sp 0x7ffdffbaac68
READ of size 4 at 0x0000037a74fc thread T0
#0 0x77c9b9
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x77c9b9)
#1 0x78024f
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x78024f)
#2 0x18bed91
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x18bed91)
#3 0x18c2594
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x18c2594)
#4 0x2ff1c7f
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x2ff1c7f)
#5 0x2f8cead
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x2f8cead)
#6 0x4f5da9
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x4f5da9)
#7 0x7f3717a6b82f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x422428
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x422428)

0x0000037a74fc is located 4 bytes to the left of global variable
'format_bytes' defined in 'MagickCore/profile.c:1945:5' (0x37a7500) of size
52
0x0000037a74fc is located 34 bytes to the right of global variable ''
defined in 'MagickCore/profile.c:1306:38' (0x37a74c0) of size 26
'' is ascii string 'ResetImageProfileIterator'
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x77c9b9)
Shadow bytes around the buggy address:
0x0000806ece40: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
0x0000806ece50: f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9 05 f9 f9 f9
0x0000806ece60: f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x0000806ece70: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 06 f9
0x0000806ece80: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000806ece90: 00 06 f9 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9[f9]
0x0000806ecea0: 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 05 f9 f9 f9
0x0000806eceb0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000806ecec0: 00 00 00 00 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x0000806eced0: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x0000806ecee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26125==ABORTING

References:

https://github.com/ImageMagick/ImageMagick/issues/280


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com