Home / exploits Imagemagick mogrify global buffer overflow
Posted on 30 November -0001
<HTML><HEAD><TITLE>imagemagick mogrify global buffer overflow</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Hi, imagemagick identify suffers of a global buffer overflow issue, which I reported and has been patched, you can find a reproducer in the github bug tracker issue link issue: https://github.com/ImageMagick/ImageMagick/issues/280 patch: https://github.com/ImageMagick/ImageMagick/commit/a7bb158b7bedd1449a34432feb3a67c8f1873bfa Thanks, Marco Grassi (@marcograss) of Tencent's Keen Lab ➜ utilities git:(master) ✗ ./magick mogrify ../../ImageMagick_bugs/mogrify_gbof~~ ==26125==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000037a74fc at pc 0x00000077c9ba bp 0x7ffdffbaac70 sp 0x7ffdffbaac68 READ of size 4 at 0x0000037a74fc thread T0 #0 0x77c9b9 (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x77c9b9) #1 0x78024f (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x78024f) #2 0x18bed91 (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x18bed91) #3 0x18c2594 (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x18c2594) #4 0x2ff1c7f (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x2ff1c7f) #5 0x2f8cead (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x2f8cead) #6 0x4f5da9 (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x4f5da9) #7 0x7f3717a6b82f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x422428 (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x422428) 0x0000037a74fc is located 4 bytes to the left of global variable 'format_bytes' defined in 'MagickCore/profile.c:1945:5' (0x37a7500) of size 52 0x0000037a74fc is located 34 bytes to the right of global variable '' defined in 'MagickCore/profile.c:1306:38' (0x37a74c0) of size 26 '' is ascii string 'ResetImageProfileIterator' SUMMARY: AddressSanitizer: global-buffer-overflow (/home/bob/VulnResearch/misc/ImageMagick/utilities/magick+0x77c9b9) Shadow bytes around the buggy address: 0x0000806ece40: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 0x0000806ece50: f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9 05 f9 f9 f9 0x0000806ece60: f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 0x0000806ece70: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 06 f9 0x0000806ece80: f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 00 00 00 00 =>0x0000806ece90: 00 06 f9 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9[f9] 0x0000806ecea0: 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 05 f9 f9 f9 0x0000806eceb0: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0000806ecec0: 00 00 00 00 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 0x0000806eced0: 04 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 0x0000806ecee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==26125==ABORTING </BODY></HTML>