New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cpu exhaustion in ReadWPGImage #870

Closed
henices opened this Issue Nov 20, 2017 · 2 comments

Comments

Projects
None yet
4 participants
@henices
Copy link
Contributor

henices commented Nov 20, 2017

Hello all.
We found a denial of service (DoS) issue in ImageMagick 7.0.7-12 Q16 x86_64 , which can cause huge CPU consumption. (cpu 100%)

The policy.xml is as following

<policymap>
  <policy domain="resource" name="temporary-path" value="/tmp"/>
  <policy domain="resource" name="memory" value="256MiB"/>
  <policy domain="resource" name="map" value="512MiB"/>
  <policy domain="resource" name="width" value="8KP"/>
  <policy domain="resource" name="height" value="8KP"/>
  <policy domain="resource" name="area" value="16KP"/>
  <policy domain="resource" name="disk" value="1GiB"/>
  <policy domain="resource" name="file" value="768"/>
  <policy domain="resource" name="thread" value="2"/>
  <policy domain="resource" name="throttle" value="0"/>
  <policy domain="resource" name="time" value="120"/>
  <policy domain="system" name="precision" value="6"/>
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="filter" rights="none" pattern="*" />
  <policy domain="delegate" rights="none" pattern="HTTPS" />  
  <policy domain="path" rights="none" pattern="@*"/>  
</policymap>

convert ReadWPGImage-cpu-exhaustion /dev/null

gdb backtrace

0x00007ffff413e1c5 in ReadBlobByte (image=0x607c00011900) at MagickCore/blob.c:3661            
3661          p=(const unsigned char *) ReadBlobStream(image,1,buffer,&count);                 
(gdb) bt                                       
#0  0x00007ffff413e1c5 in ReadBlobByte (image=0x607c00011900) at MagickCore/blob.c:3661        
#1  0x00007ffff47dc5f0 in ExtractPostscript (image=0x607c00011900, image_info=0x607a0000d100, PS_Offset=71672, PS_Size=2013292078, exception=0x600c0000b0c0) at coders/wpg.c:769               
#2  0x00007ffff47e10a2 in ReadWPGImage (image_info=0x607a0000d100, exception=0x600c0000b0c0) at coders/wpg.c:1408                                                                              
#3  0x00007ffff41c56d6 in ReadImage (image_info=0x607a00010500, exception=0x600c0000b0c0) at MagickCore/constitute.c:497                                                                       
#4  0x00007ffff41c7d3c in ReadImages (image_info=0x607a00013900, filename=0x60040000c710 "/tmp/cpu4.poc", exception=0x600c0000b0c0) at MagickCore/constitute.c:866                             
#5  0x00007ffff39e179c in ConvertImageCommand (image_info=0x607a00013900, argc=3, argv=0x60060000ed10, metadata=0x7fffffffc090, exception=0x600c0000b0c0) at MagickWand/convert.c:641          
#6  0x00007ffff3b84a11 in MagickCommandGenesis (image_info=0x607a00016d00, command=0x4010d0 <ConvertImageCommand@plt>, argc=3, argv=0x7fffffffe4d8, metadata=0x0, exception=0x600c0000b0c0)    
    at MagickWand/mogrify.c:183                                                                
#7  0x000000000040164d in MagickMain (argc=3, argv=0x7fffffffe4d8) at utilities/magick.c:149   
#8  0x00000000004017e2 in main (argc=3, argv=0x7fffffffe4d8) at utilities/magick.c:180   

When debug we found a very large number in PS_Size

(gdb) n                                                                                                                                                                                        
3662          if (count != 1)                                                                                                                                                                  
(gdb)                                                                         
3663            return(EOF);                                                   
(gdb)                                                                          
3625    {                                                                      
(gdb)                                                                           
3668    }                                                                     
(gdb)                                                                          
ExtractPostscript (image=0x607c00011900, image_info=0x607a0000d100, PS_Offset=71672, PS_Size=2013292078, exception=0x600c0000b0c0) at coders/wpg.c:767                                         
767       while(PS_Size-- > 0)                                                 
(gdb)                                                                           
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                          
767       while(PS_Size-- > 0)                 
(gdb)                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                                                     
767       while(PS_Size-- > 0)                 
(gdb)                                            
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                                             
767       while(PS_Size-- > 0)                                            
(gdb)                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                               
767       while(PS_Size-- > 0)                 
(gdb)                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                            
767       while(PS_Size-- > 0)                 
(gdb)                                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb)                                          
767       while(PS_Size-- > 0)                                  
(gdb)                                          
769           (void) fputc(ReadBlobByte(image),ps_file);                                       
(gdb) p PS_Size                                
$1 = 2013292071    

testcase:
https://github.com/henices/pocs/raw/master/ReadWPGImage-cpu-exhaustion

Credit: NSFocus Security Team <security (at) nsfocus (dot) com>

urban-warrior pushed a commit that referenced this issue Nov 20, 2017

Cristy

urban-warrior pushed a commit that referenced this issue Nov 20, 2017

Cristy
@urban-warrior

This comment has been minimized.

Copy link
Contributor

urban-warrior commented Nov 20, 2017

Thanks for the problem report. We can reproduce it and will have a patch to fix it in GIT master branch @ https://github.com/ImageMagick/ImageMagick later today. The patch will be available in the beta releases of ImageMagick @ http://www.imagemagick.org/download/beta/ by sometime tomorrow.

@dlemstra dlemstra added the bug label Nov 20, 2017

@dlemstra dlemstra closed this Nov 20, 2017

@carnil

This comment has been minimized.

Copy link

carnil commented Dec 31, 2017

This issue has been assigned CVE-2017-17682.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment