ImageMagick's Overflow

2003-07-15T00:00:00
ID SECURITYVULNS:DOC:4835
Type securityvulns
Reporter Securityvulns
Modified 2003-07-15T00:00:00

Description

                   ImageMagick's Overflow


                Rosiello Security's Advisory
                             &
                           DTORS

http://www.rosiello.org

I. BACKGROUND The ImageMagick (display) is an image viewer. ImageMagick is part of the KDE desktop and is bundled with all major Linux distributions.

II. DESCRIPTION A vulnerability was found in this application that could lead to the execution of arbitrary code with the privileges of the user running the program. This vulnerability can be exploited from within email clients that use ImageMagick as default for image viewing. It is possible that an user could load the "malicious" file directly,exploiting him self.

III. ANALYSYS Class: Input validation error Remotely Exploitable: No Locally Exploitable: Yes but hardly Exploitation can provide local attackers with user access to an affected system. The following shows how the "malicious" file can cause the crash of ImageMagick. [root@localhost root]# ls -l /usr/X11R6/bin/display -rwxr-xr-x 1 root root 30564 Mar 14 2002 /usr/X11R6/bin/display [root@localhost root]# touch %x [root@localhost root]# gdb display (gdb) r Starting program: /usr/X11R6/bin/display [New Thread 1024 (LWP 757)]

At this point open the file "%x" via ImageMagick. On the gdb prompt you will see the following:

Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1024 (LWP 757)] 0x4003cf0b in SetExceptionInfo () from /usr/X11R6/lib/libMagick.so.5 (gdb)

IV. DETECTION All distributions supporting ImageMagick are affected. Red Hat, Mandrake, Suse and maybe others. Vulnerable Packages: Up to 5.4.3.x, all versions are vulnerable but the last one. Mainteiners were informed and consented about this Advisory.

VI. CREDITS This vulnerability was found by Angelo Rosiello.

http://www.rosiello.org & http://www.dtors.net

CONTACT: angelo@rosiello.org