linux, säkerhet

107668 2003-07-14  20:50  /74 rader/ Angelo Rosiello <guilecool@usa.com>
Importerad: 2003-07-14  20:50  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5548>
Ärende: ImageMagick's Overflow
------------------------------------------------------------




                       ImageMagick's Overflow


                    Rosiello Security's Advisory
                                 &
                               DTORS

http://www.rosiello.org


I. BACKGROUND 
The ImageMagick (display) is an image viewer.
ImageMagick is part of the KDE desktop and is
bundled with all major Linux distributions.


II. DESCRIPTION  A vulnerability was found in this application that
could lead to the execution of arbitrary code with the privileges of
the user running the  program.  This vulnerability can be exploited
from within email clients that use  ImageMagick as default for image
viewing.  It is possible that an user could load the "malicious" file
directly,exploiting him self.


III. ANALYSYS  Class: Input validation error Remotely Exploitable: No
Locally Exploitable: Yes but hardly Exploitation can provide local
attackers with user access to an affected  system.  The following
shows how the "malicious" file can cause the crash of  ImageMagick.
[root@localhost root]# ls -l /usr/X11R6/bin/display
-rwxr-xr-x 1 root root 30564 Mar 14 2002 /usr/X11R6/bin/display
[root@localhost root]# touch %x
[root@localhost root]# gdb display
(gdb) r
Starting program: /usr/X11R6/bin/display
[New Thread 1024 (LWP 757)]


At this point open the file "%x" via ImageMagick.
On the gdb prompt you will see the following:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 757)]
0x4003cf0b in SetExceptionInfo () from /usr/X11R6/lib/libMagick.so.5
(gdb)


IV. DETECTION 
All distributions supporting ImageMagick are affected.
Red Hat, Mandrake, Suse and maybe others.
Vulnerable Packages:
Up to 5.4.3.x, all versions are vulnerable but the last one.
Mainteiners were informed and consented about this Advisory. 

VI. CREDITS 
This vulnerability was found by Angelo Rosiello.

http://www.rosiello.org
&
http://www.dtors.net

CONTACT: angelo@rosiello.org
(107668) /Angelo Rosiello <guilecool@usa.com>/(Ombruten)