Closed
Description
Hello all.
We found a denial of service (DoS) issue in ImageMagick 7.0.7-12 Q16 x86_64 , which can cause huge CPU consumption. (cpu 100%)
The policy.xml is as following
<policymap>
<policy domain="resource" name="temporary-path" value="/tmp"/>
<policy domain="resource" name="memory" value="256MiB"/>
<policy domain="resource" name="map" value="512MiB"/>
<policy domain="resource" name="width" value="8KP"/>
<policy domain="resource" name="height" value="8KP"/>
<policy domain="resource" name="area" value="16KP"/>
<policy domain="resource" name="disk" value="1GiB"/>
<policy domain="resource" name="file" value="768"/>
<policy domain="resource" name="thread" value="2"/>
<policy domain="resource" name="throttle" value="0"/>
<policy domain="resource" name="time" value="120"/>
<policy domain="system" name="precision" value="6"/>
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="filter" rights="none" pattern="*" />
<policy domain="delegate" rights="none" pattern="HTTPS" />
<policy domain="path" rights="none" pattern="@*"/>
</policymap>
convert ReadWPGImage-cpu-exhaustion /dev/null
gdb backtrace
0x00007ffff413e1c5 in ReadBlobByte (image=0x607c00011900) at MagickCore/blob.c:3661
3661 p=(const unsigned char *) ReadBlobStream(image,1,buffer,&count);
(gdb) bt
#0 0x00007ffff413e1c5 in ReadBlobByte (image=0x607c00011900) at MagickCore/blob.c:3661
#1 0x00007ffff47dc5f0 in ExtractPostscript (image=0x607c00011900, image_info=0x607a0000d100, PS_Offset=71672, PS_Size=2013292078, exception=0x600c0000b0c0) at coders/wpg.c:769
#2 0x00007ffff47e10a2 in ReadWPGImage (image_info=0x607a0000d100, exception=0x600c0000b0c0) at coders/wpg.c:1408
#3 0x00007ffff41c56d6 in ReadImage (image_info=0x607a00010500, exception=0x600c0000b0c0) at MagickCore/constitute.c:497
#4 0x00007ffff41c7d3c in ReadImages (image_info=0x607a00013900, filename=0x60040000c710 "/tmp/cpu4.poc", exception=0x600c0000b0c0) at MagickCore/constitute.c:866
#5 0x00007ffff39e179c in ConvertImageCommand (image_info=0x607a00013900, argc=3, argv=0x60060000ed10, metadata=0x7fffffffc090, exception=0x600c0000b0c0) at MagickWand/convert.c:641
#6 0x00007ffff3b84a11 in MagickCommandGenesis (image_info=0x607a00016d00, command=0x4010d0 <ConvertImageCommand@plt>, argc=3, argv=0x7fffffffe4d8, metadata=0x0, exception=0x600c0000b0c0)
at MagickWand/mogrify.c:183
#7 0x000000000040164d in MagickMain (argc=3, argv=0x7fffffffe4d8) at utilities/magick.c:149
#8 0x00000000004017e2 in main (argc=3, argv=0x7fffffffe4d8) at utilities/magick.c:180
When debug we found a very large number in PS_Size
(gdb) n
3662 if (count != 1)
(gdb)
3663 return(EOF);
(gdb)
3625 {
(gdb)
3668 }
(gdb)
ExtractPostscript (image=0x607c00011900, image_info=0x607a0000d100, PS_Offset=71672, PS_Size=2013292078, exception=0x600c0000b0c0) at coders/wpg.c:767
767 while(PS_Size-- > 0)
(gdb)
769 (void) fputc(ReadBlobByte(image),ps_file);
(gdb)
767 while(PS_Size-- > 0)
(gdb)
769 (void) fputc(ReadBlobByte(image),ps_file);
(gdb)
767 while(PS_Size-- > 0)
(gdb)
769 (void) fputc(ReadBlobByte(image),ps_file);
(gdb)
767 while(PS_Size-- > 0)
(gdb)
769 (void) fputc(ReadBlobByte(image),ps_file);
(gdb)
767 while(PS_Size-- > 0)
(gdb)
769 (void) fputc(ReadBlobByte(image),ps_file);
(gdb)
767 while(PS_Size-- > 0)
(gdb)
769 (void) fputc(ReadBlobByte(image),ps_file);
(gdb)
767 while(PS_Size-- > 0)
(gdb)
769 (void) fputc(ReadBlobByte(image),ps_file);
(gdb) p PS_Size
$1 = 2013292071
testcase:
https://github.com/henices/pocs/raw/master/ReadWPGImage-cpu-exhaustion
Credit: NSFocus Security Team <security (at) nsfocus (dot) com>