Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160511120119.056ad3c2@pc1>
Date: Wed, 11 May 2016 12:01:19 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: ImageMagick heap overflow and out of bounds read

https://blog.fuzzing-project.org/45-ImageMagick-heap-overflow-and-out-of-bounds-read.html

Recently the ImageTragick vulnerability shed some light on the security
status of ImageMagick.

This made me wonder how resilient to fuzzing ImageMagick is these days.
It's pretty much a posterchild example for a good fuzzing target: Lots
of supported complex binary file formats.

I already did some fuzzing on ImageMagick, but as far as I remember
that was before I used american fuzzy lop and was done with zzuf. I was
also aware that others did some more thorough fuzzing on ImageMagick.
http://www.openwall.com/lists/oss-security/2014/12/24/1

What I did now was relatively simple: I took a trivial, few pixels PNG
and used ImageMagick's "convert" tool to convert it into all file
formats that have both read and write support in ImageMagick. I used
that to run a fuzzing job with afl and asan. By design ImageMagick will
sometimes do huge memory allocations, these can be prevented by setting
limits for the width, height and memory usage in the policy.xml file.

I discovered one heap buffer overflow in the PICT parser and one heap
out of bounds read in the PSD parser. Given how big the attack surface
is this is not terrible, but it shows that despite previous efforts
there's still potential to fuzz ImageMagick.

https://crashes.fuzzing-project.org/imagemagick-heapoverflow-WritePixelCachePixels.pict
Sample file for heap buffer overflow in WritePixelCachePixels() (PICT
format)
https://github.com/ImageMagick/ImageMagick/commit/cfbe890d0cfcd5d3b0f63744a6901e40e992e07c
Git commit / fix

https://crashes.fuzzing-project.org/imagemagick-oob-heap-read-PushShortPixel.psd
Sample file for heap out of bounds read in PushShortPixel() (PSD format)
https://github.com/ImageMagick/ImageMagick/commit/15dd190dfd7e7a3341bdc378f4f0daba9873322c
Git commit / fix

https://www.imagemagick.org/script/changelog.php
Both issues have been fixed in the versions 6.9.4-0 and 7.0.1-2. In the
meantime new versions (6.9.4-1, 7.0.1-3) came out that, as far as I
understand the ChangeLog, remove another potential vector for the
ImageTragick vulnerabilities, so you should preferrably update to those.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.