SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

ImageMagick ReadSGIImage() Heap Overflow


Arrow  SecurityAlert : 1385
Arrow  CVE : CVE-2006-4144
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : Damian Put
Arrow  Published : 16.08.2006

Arrow  Affected Software : ImageMagick



Arrow  Advisory Content :  

Overflow.pl Security Advisory #7

ImageMagick ReadSGIImage() Heap Overflow

Vendor: ImageMagick (http://www.imagemagick.org)
Affected version: 6.x up to and including 6.2.8
Vendor status: Fixed version released (6.2.9)

Author: Damian Put <pucik (at) overflow (dot) pl [email concealed]>
URL: http://www.overflow.pl/adv/imsgiheap.txt
Date: 14.08.2006

1. Background

ImageMagick is a free software suite to create, edit, and compose bitmap
images.
It can read, convert and write images in a large variety of formats.

http://www.imagemagick.org

2. Description

Remote exploitation of a heap overflow vulnerability could allow execution
of
arbitrary code or couse denial of service.

A heap overflow exists in ReadSGIImage() function, that is used to
decode a SGI image file. The vulnerable code is:

coders/sgi.c:

static Image *ReadSGIImage(const ImageInfo *image_info,ExceptionInfo
*exception)
{
...
iris_info.bytes_per_pixel=(unsigned char) ReadBlobByte(image);
...
image->columns=iris_info.columns;
image->rows=iris_info.rows;
...
bytes_per_pixel=(size_t) iris_info.bytes_per_pixel;
number_pixels=(MagickSizeType) iris_info.columns*iris_info.rows;
...
iris_pixels=(unsigned char *)AcquireMagickMemory
(4*bytes_per_pixel*iris_info.columns*iris_info.rows);

We can manipalute iris_info.rows, iris_info.columns and bytes_per_pixel
value. Allocation of memory to "iris_pixels" is based on this values.
When rows*cols*bytes_per_pixe*4 overflow integer variable, we can alloc
not
enough memory for next operations, and cause heap overflow.

3. PoC

Example crafted SGI file: http://overflow.pl/poc/imheap.sgi

[pucik@overflow ImageMagick-6.2.8]$ display imheap.sgi
*** glibc detected *** free(): invalid next size (fast): 0x08055dd0 ***
Abort (core dumped)
[pucik@overflow ImageMagick-6.2.8]$




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

» PHP 5.3.0 5.2.11
   posix_mkfifo()
   open_basedir bypass
Copyright © SecurityReason.com. All Rights Reserved.