[30726] in bugtraq
ImageMagick's Overflow
daemon@ATHENA.MIT.EDU (Angelo Rosiello)
Mon Jul 14 14:50:45 2003
Date: 14 Jul 2003 11:31:43 -0000
Message-ID: <20030714113143.16022.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Angelo Rosiello <guilecool@usa.com>
To: bugtraq@securityfocus.com
ImageMagick's Overflow
Rosiello Security's Advisory
&
DTORS
http://www.rosiello.org
I. BACKGROUND
The ImageMagick (display) is an image viewer.
ImageMagick is part of the KDE desktop and is
bundled with all major Linux distributions.
II. DESCRIPTION
A vulnerability was found in this application that could lead to the
execution of arbitrary code with the privileges of the user running the
program.
This vulnerability can be exploited from within email clients that use
ImageMagick
as default for image viewing.
It is possible that an user could load the "malicious" file
directly,exploiting him self.
III. ANALYSYS
Class: Input validation error
Remotely Exploitable: No
Locally Exploitable: Yes but hardly
Exploitation can provide local attackers with user access to an affected
system.
The following shows how the "malicious" file can cause the crash of
ImageMagick.
[root@localhost root]# ls -l /usr/X11R6/bin/display
-rwxr-xr-x 1 root root 30564 Mar 14 2002 /usr/X11R6/bin/display
[root@localhost root]# touch %x
[root@localhost root]# gdb display
(gdb) r
Starting program: /usr/X11R6/bin/display
[New Thread 1024 (LWP 757)]
At this point open the file "%x" via ImageMagick.
On the gdb prompt you will see the following:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 757)]
0x4003cf0b in SetExceptionInfo () from /usr/X11R6/lib/libMagick.so.5
(gdb)
IV. DETECTION
All distributions supporting ImageMagick are affected.
Red Hat, Mandrake, Suse and maybe others.
Vulnerable Packages:
Up to 5.4.3.x, all versions are vulnerable but the last one.
Mainteiners were informed and consented about this Advisory.
VI. CREDITS
This vulnerability was found by Angelo Rosiello.
http://www.rosiello.org
&
http://www.dtors.net
CONTACT: angelo@rosiello.org
