Skip to content

ImageMagick "sixel_decode()" Out-of-bounds Read Vulnerability #2143

New issue
New issue
Closed
Closed
ImageMagick "sixel_decode()" Out-of-bounds Read Vulnerability#2143
@0xfoxone

Description

@0xfoxone
0xfoxone
opened on Jun 14, 2020

Description:

There is an out-of-bounds read vulnerability within the "sixel_decode()" function (imagemagick\coders\sixel.c) when processing SIX files.

Steps to Reproduce:

poc (password: 0xfoxone):
https://drive.google.com/file/d/1vw_mAVttW3qqugcnxKDUt09nF16HLK7G/view?usp=sharing

cmd:
magick.exe convert poc.six new.bmp

Upon running this, following crash happens (Note: I enabled page heap on magick.exe):

Microsoft (R) Windows Debugger Version 10.0.19041.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\ImageMagick-7.0.10-19\VisualMagick\bin\magick.exe convert c:\poc.six c:\new.bmp

************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff61a8e0000 00007ff61a8f2000 magick.exe
ModLoad: 00007ff8eadf0000 00007ff8eafe4000 ntdll.dll
ModLoad: 00007ff8de560000 00007ff8de5d4000 C:\WINDOWS\System32\verifier.dll
Page heap: pid 0x1B94: page heap enabled with flags 0x3.
ModLoad: 00007ff8e9b80000 00007ff8e9c3d000 C:\WINDOWS\System32\KERNEL32.DLL
ModLoad: 00007ff8e8960000 00007ff8e8c27000 C:\WINDOWS\System32\KERNELBASE.dll
ModLoad: 00007ff8bbfd0000 00007ff8bc265000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_MagickCore_.dll
ModLoad: 00007ff8b71e0000 00007ff8b73aa000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_MagickWand_.dll
ModLoad: 00007ff8ea340000 00007ff8ea4e0000 C:\WINDOWS\System32\USER32.dll
ModLoad: 00007ff8e86a0000 00007ff8e86c2000 C:\WINDOWS\System32\win32u.dll
ModLoad: 00007ff8e9410000 00007ff8e943a000 C:\WINDOWS\System32\GDI32.dll
ModLoad: 00007ff8e8850000 00007ff8e8959000 C:\WINDOWS\System32\gdi32full.dll
ModLoad: 00007ff8e8780000 00007ff8e881d000 C:\WINDOWS\System32\msvcp_win.dll
ModLoad: 00007ff8e8d60000 00007ff8e8e60000 C:\WINDOWS\System32\ucrtbase.dll
ModLoad: 00007ff8dedb0000 00007ff8dedd2000 C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll
ModLoad: 00007ff8b7020000 00007ff8b71db000 C:\WINDOWS\SYSTEM32\ucrtbased.dll
ModLoad: 00007ff8eab40000 00007ff8eabea000 C:\WINDOWS\System32\ADVAPI32.dll
ModLoad: 00007ff8eabf0000 00007ff8eac8e000 C:\WINDOWS\System32\msvcrt.dll
ModLoad: 00007ff8ea150000 00007ff8ea1eb000 C:\WINDOWS\System32\sechost.dll
ModLoad: 00007ff8e8e60000 00007ff8e8f83000 C:\WINDOWS\System32\RPCRT4.dll
ModLoad: 00007ff8ded80000 00007ff8deda7000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_bzlib_.dll
ModLoad: 00007ff8e9dd0000 00007ff8e9e3b000 C:\WINDOWS\System32\WS2_32.dll
ModLoad: 00007ff8bbeb0000 00007ff8bbfcf000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_freetype_.dll
ModLoad: 00007ff8be810000 00007ff8be896000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_lcms_.dll
ModLoad: 00007ff8b9a30000 00007ff8b9ad0000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_libxml_.dll
ModLoad: 00007ff8de6c0000 00007ff8de6e3000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_lqr_.dll
ModLoad: 00007ff8de530000 00007ff8de55a000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_zlib_.dll
ModLoad: 00007ff89f180000 00007ff89f4bb000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_glib_.dll
ModLoad: 00007ff8e9440000 00007ff8e9b71000 C:\WINDOWS\System32\SHELL32.dll
ModLoad: 00007ff8ea4e0000 00007ff8ea609000 C:\WINDOWS\System32\ole32.dll
ModLoad: 00007ff8ea6d0000 00007ff8eaa24000 C:\WINDOWS\System32\combase.dll
ModLoad: 00007ff8e79c0000 00007ff8e79fb000 C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL
ModLoad: 00007ff8e7a60000 00007ff8e7b2a000 C:\WINDOWS\SYSTEM32\DNSAPI.dll
(1b94.2524): Break instruction exception - code 80000003 (first chance)
ntdll!LdrInitShimEngineDynamic+0x360:
00007ff8 eaebf780 cc int 3
0:000> g
ModLoad: 00007ff8eaaf0000 00007ff8eab20000 C:\WINDOWS\System32\IMM32.DLL
ModLoad: 00007ff8e8f90000 00007ff8e8f99000 C:\WINDOWS\System32\NSI.dll
ModLoad: 00007ff8de6a0000 00007ff8de6b1000 C:\ImageMagick-7.0.10-19\VisualMagick\bin\IM_MOD_DB_SIXEL_.dll
ModLoad: 00007ff8e7f10000 00007ff8e7f28000 C:\WINDOWS\SYSTEM32\CRYPTSP.dll
ModLoad: 00007ff8e7600000 00007ff8e7634000 C:\WINDOWS\system32\rsaenh.dll
ModLoad: 00007ff8e8820000 00007ff8e8847000 C:\WINDOWS\System32\bcrypt.dll
ModLoad: 00007ff8e7f30000 00007ff8e7f3c000 C:\WINDOWS\SYSTEM32\CRYPTBASE.dll
ModLoad: 00007ff8e8c30000 00007ff8e8caf000 C:\WINDOWS\System32\bcryptPrimitives.dll
(1b94.2524): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-19\VisualMagick\bin\IM_MOD_DB_SIXEL_.dll
VCRUNTIME140D!memcpy+0x57:
00007ff8 dedb1657 f3a4 rep movs byte ptr [rdi],byte ptr [rsi]
0:000> k
Child-SP RetAddr Call Site
00 0000007a66d85438 00007ff8de6a413f VCRUNTIME140D!memcpy+0x57
01 0000007a66d85440 00007ff8de6a157a IM_MOD_DB_SIXEL_!sixel_decode+0x140f [C:\imagemagick-7.0.10-19\imagemagick\coders\sixel.c @ 554]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_MagickCore_.dll
02 0000007a66d859c0 00007ff8bc02b707 IM_MOD_DB_SIXEL_!ReadSIXELImage+0x3ea [C:\imagemagick-7.0.10-19\imagemagick\coders\sixel.c @ 1059]
03 0000007a66d85ac0 00007ff8bc02ce83 CORE_DB_MagickCore_!ReadImage+0x5e7 [C:\imagemagick-7.0.10-19\imagemagick\magickcore\constitute.c @ 553]
*** WARNING: Unable to verify checksum for C:\ImageMagick-7.0.10-19\VisualMagick\bin\CORE_DB_MagickWand_.dll
04 0000007a66d8ace0 00007ff8b721aac3 CORE_DB_MagickCore_!ReadImages+0x393 [C:\imagemagick-7.0.10-19\imagemagick\magickcore\constitute.c @ 941]
05 0000007a66d8bd90 00007ff8b72b4758 CORE_DB_MagickWand_!ConvertImageCommand+0x1523 [C:\imagemagick-7.0.10-19\imagemagick\magickwand\convert.c @ 606]
*** WARNING: Unable to verify checksum for magick.exe
06 0000007a66d8d8e0 00007ff61a8e14ea CORE_DB_MagickWand_!MagickCommandGenesis+0x338 [C:\imagemagick-7.0.10-19\imagemagick\magickwand\mogrify.c @ 186]
07 0000007a66d8ea50 00007ff61a8e1693 magick!MagickMain+0x4ea [C:\imagemagick-7.0.10-19\imagemagick\utilities\magick.c @ 149]
08 0000007a66d8fcc0 00007ff61a8e1f24 magick!wmain+0x43 [C:\imagemagick-7.0.10-19\imagemagick\utilities\magick.c @ 195]
09 0000007a66d8fd00 00007ff61a8e1e37 magick!invoke_main+0x34 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 80]
0a 0000007a66d8fd40 00007ff61a8e1cfe magick!__scrt_common_main_seh+0x127 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
0b 0000007a66d8fda0 00007ff61a8e1f39 magick!__scrt_common_main+0xe [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 296]
0c 0000007a66d8fdd0 00007ff8e9b96fd4 magick!wmainCRTStartup+0x9 [f:\dd\vctools\crt\vcstartup\src\startup\exe_wmain.cpp @ 17]
0d 0000007a66d8fe00 00007ff8eae3cec1 KERNEL32!BaseThreadInitThunk+0x14
0e 0000007a66d8fe30 0000000000000000 ntdll!RtlUserThreadStart+0x21

System Configuration:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions