Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:92569
HistoryDec 08, 2016 - 12:00 a.m.

ImageMagick Convert Tiff Adobe Deflate 任意代码执行漏洞(CVE-2016-8707)

2016-12-0800:00:00
Root
www.seebug.org
25

0.011 Low

EPSS

Percentile

82.6%

JSON

This vulnerability is present in the convert utility bundled with ImageMagick. Thus utility is used by many web applications to parse and convert images and other formats inter changeably. It is a very popular piece of software for this use. The vulnerability arises when attempting to deflate an Adobe Deflate compressed Tiff image.
The vulnerability arises in the way that ImageMagick handles compressed data inside of an image. The size necessary to hold the decompressed data is calculated and then passed in to LibTiff but it is not large enough to hold the decompressed stream.
The buffer is calculated here:

pixels=(unsigned char *) GetQuantumPixels(quantum_info);

and then passed in here as op:

static int
ZIPDecode(TIFF* tif, uint8* op, tmsize_t occ, uint16 s)
{

Finally this buffer is used as the next available buffer in a stream which has more data than is available and the out of bounds write occurs.

  sp->stream.next_out = op;

  ...

  int state = inflate(&sp->stream, Z_PARTIAL_FLUSH);

This is a controlled out of bounds write that under proper circumstances could be exploited into full remote code execution.

CRASH INFORMATION

Crashed thread log =
: Dispatch queue: com.apple.main-thread
frame #0: 0x00007fff9563d9c2 libz.1.dylib`inflate + 2549
frame #1: 0x0000000100fec96a libtiff.5.dylib`ZIPDecode(tif=0x0000000103bf9bb0, op=<unavailable>,
occ=<unavailable>,s=<unavailable>) + 186 at tif_zip.c:185
frame #2: 0x0000000100fe89d5 libtiff.5.dylib`TIFFReadScanline(tif=0x0000000103bf9bb0, buf=0x0000000105114ef0, row=0,
sample=0) + 693 at tif_read.c:299
frame #3: 0x0000000100979499 libMagickCore-7.Q16HDRI.0.dylib`ReadTIFFImage [inlined] TIFFReadPixels(bits_per_sample=0) +
27993
at tiff.c:873
frame #4: 0x000000010097948b libMagickCore-7.Q16HDRI.0.dylib`ReadTIFFImage(image_info=0x0000000101cb8de0,
exception=0x0000000101b4bfc0) + 27979 at tiff.c:1708
frame #5: 0x00000001000f69e8 libMagickCore-7.Q16HDRI.0.dylib`ReadImage(image_info=0x0000000101c61de0,
exception=0x0000000101b4bfc0) + 3720 at constitute.c:554
frame #6: 0x00000001000f9557 libMagickCore-7.Q16HDRI.0.dylib`ReadImages(image_info=0x0000000101bd4de0,
filename="crash1.tif", exception=0x0000000101b4bfc0) + 1447

---
exception=EXC_BAD_ACCESS:signal=11:is_exploitable=yes:instruction_disassembly=.byte 0xc5 #bad
opcode:instruction_address=0x00007fff8b1b303b:access_type=unknown:access_address=0x000000010985b000:
Crash accessing invalid address.  Consider running it again with libgmalloc(3) to see if the log changes.

CREDIT

Discovered by Tyler Bohan of Cisco Talos
####TIMELINE
2016-10-10 - Vendor Disclosure
2016-12-03 - Public Release

Related

prion 1
cve 1
debiancve 1
checkpoint_advisories 1
redhatcve 1
ubuntucve 1
openvas 38
myhack58 1
veracode 1
talos 1
debian 2
nessus 11
suse 3
ubuntu 1
cloudfoundry 1
osv 2
fedora 25
mageia 1
prion
prion
Remote code execution
2016-12-23 22:59:00
cve
cve
CVE-2016-8707
2016-12-23 22:59:00
debiancve
debiancve
CVE-2016-8707
2016-12-23 22:59:00
checkpoint_advisories
checkpoint_advisories
Imagemagick Compressed TIFF File Conversion Remote Code Execution (CVE-2016-8707)
2016-12-29 00:00:00
redhatcve
redhatcve
CVE-2016-8707
2016-12-23 07:47:30
ubuntucve
ubuntucve
CVE-2016-8707
2016-12-23 00:00:00
openvas
openvas
ImageMagick Convert Tiff Adobe Deflate Code Execution Vulnerability - Mac OS X
2016-12-29 00:00:00
ImageMagick Convert Tiff Adobe Deflate Code Execution Vulnerability - Windows
2016-12-29 00:00:00
openSUSE: Security Advisory for ImageMagick (openSUSE-SU-2016:3233-1)
2016-12-23 00:00:00
myhack58
myhack58
ImageMagick compression of TIFF image remote code execution vulnerability, CVE-2016-8707-a vulnerability warning-the black bar safety net
2016-12-08 00:00:00
veracode
veracode
Remote Code Execution (RCE)
2017-04-03 02:50:30
talos
talos
ImageMagick Convert Tiff Adobe Deflate Code Execution Vulnerability
2016-12-03 00:00:00
debian
debian
[SECURITY] [DLA 756-1] imagemagick security update
2016-12-22 01:52:15
[SECURITY] [DSA 3799-1] imagemagick security update
2017-03-01 22:06:44
nessus
nessus
openSUSE Security Update : ImageMagick (openSUSE-2016-1512)
2016-12-27 00:00:00
Debian DLA-756-1 : imagemagick security update
2016-12-22 00:00:00
SUSE SLES11 Security Update : ImageMagick (SUSE-SU-2016:3256-1)
2016-12-27 00:00:00
suse
suse
Security update for ImageMagick (important)
2016-12-22 15:08:57
Security update for ImageMagick (important)
2017-01-04 18:07:50
Security update for ImageMagick (important)
2016-12-23 16:09:35
ubuntu
ubuntu
ImageMagick vulnerabilities
2017-03-08 00:00:00
cloudfoundry
cloudfoundry
USN-3222-1: ImageMagick vulnerabilities | Cloud Foundry
2017-03-31 00:00:00
osv
osv
imagemagick - security update
2017-03-01 00:00:00
imagemagick - security update
2016-12-22 00:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: vdr-scraper2vdr-1.0.5-4.20170611git254122b.fc26
2017-09-19 03:27:38
[SECURITY] Fedora 26 Update: pfstools-2.0.6-3.fc26
2017-09-19 03:27:29
[SECURITY] Fedora 26 Update: imageinfo-0.05-27.fc26
2017-09-19 03:27:25
mageia
mageia
Updated imagemagick packages fix security vulnerabilities
2018-05-12 09:28:12

0.011 Low

EPSS

Percentile

82.6%

JSON
Related for SSV:92569
prion1cve1debiancve1checkpoint_advisories1redhatcve1ubuntucve1openvas38myhack581veracode1talos1debian2nessus11suse3ubuntu1cloudfoundry1osv2fedora25mageia1