ImageMagick's Overflow





                    Rosiello Security's Advisory

                                 &

                               DTORS



http://www.rosiello.org





I. BACKGROUND 

The ImageMagick (display) is an image viewer.

ImageMagick is part of the KDE desktop and is

bundled with all major Linux distributions.





II. DESCRIPTION 

A vulnerability was found in this application that could lead to the

execution of arbitrary code with the privileges of the user running the 

program.

This vulnerability can be exploited from within email clients that use 

ImageMagick

as default for image viewing.

It is possible that an user could load the "malicious" file 

directly,exploiting him self. 





III. ANALYSYS 

Class: Input validation error

Remotely Exploitable: No

Locally Exploitable: Yes but hardly

Exploitation can provide local attackers with user access to an affected 

system.

The following shows how the "malicious" file can cause the crash of 

ImageMagick.

[root@localhost root]# ls -l /usr/X11R6/bin/display

-rwxr-xr-x 1 root root 30564 Mar 14 2002 /usr/X11R6/bin/display

[root@localhost root]# touch %x

[root@localhost root]# gdb display

(gdb) r

Starting program: /usr/X11R6/bin/display

[New Thread 1024 (LWP 757)]





At this point open the file "%x" via ImageMagick.

On the gdb prompt you will see the following:



Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 1024 (LWP 757)]

0x4003cf0b in SetExceptionInfo () from /usr/X11R6/lib/libMagick.so.5

(gdb)





IV. DETECTION 

All distributions supporting ImageMagick are affected.

Red Hat, Mandrake, Suse and maybe others.

Vulnerable Packages:

Up to 5.4.3.x, all versions are vulnerable but the last one.

Mainteiners were informed and consented about this Advisory. 



VI. CREDITS 

This vulnerability was found by Angelo Rosiello.



http://www.rosiello.org

&

http://www.dtors.net



CONTACT: angelo@rosiello.org