cbcvebase.
CVE-2014-2030
published 2020-02-06

CVE-2014-2030: Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of…

PriorityP259high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
11.05%
95.4th percentile
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947.

Affected

23 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiangraphicsmagick< graphicsmagick 1.3.20-1 (bookworm)graphicsmagick 1.3.20-1 (bookworm)
debianimagemagick< imagemagick 8:6.7.7.10+dfsg-1 (bookworm)imagemagick 8:6.7.7.10+dfsg-1 (bookworm)
debianimagemagick< graphicsmagick 1.3.20-1 (bookworm)graphicsmagick 1.3.20-1 (bookworm)
graphicsmagickgraphicsmagick>= 0 < 1.3.20-11.3.20-1
graphicsmagickgraphicsmagick>= 0 < 1.3.20-11.3.20-1
graphicsmagickgraphicsmagick>= 0 < 1.3.20-11.3.20-1
graphicsmagickgraphicsmagick>= 0 < 1.3.20-11.3.20-1
imagemagickimagemagick< 6.8.8-56.8.8-5
imagemagickimagemagick<= 6.5.4
imagemagickimagemagick
imagemagickimagemagick>= 0 < 8:6.7.7.10+dfsg-18:6.7.7.10+dfsg-1
imagemagickimagemagick>= 0 < 8:6.7.7.10+dfsg-18:6.7.7.10+dfsg-1
imagemagickimagemagick>= 0 < 8:6.7.7.10+dfsg-18:6.7.7.10+dfsg-1
imagemagickimagemagick>= 0 < 8:6.7.7.10+dfsg-18:6.7.7.10+dfsg-1
opensuseopensuse
opensuseopensuse
opensuseopensuse
suselinux_enterprise_desktop
suselinux_enterprise_server
suselinux_enterprise_software_development_kit

Detection & IOCsextracted from sources · hover to see the quote

pathcoders/psd.c
  • The vulnerability is triggered via the WritePSDImage function in coders/psd.c; monitor ImageMagick processing of PSD files with large numbers of layers, particularly layer name formatting via the 'L%06ld' format string pattern.
  • The exploit delivers a malicious XML file (english.xml) containing a ~100,000-byte SEH-overwrite payload alongside a corrupt BMP file (corrupt.bmp) to trigger the overflow; detect unexpected large XML files paired with BMP files in ImageMagick input directories.
  • SEH overwrite offset is 62504 bytes of 0x41 padding; the SEH handler is overwritten with address 0x74c82f4f (OLEACC.dll pop/pop/ret gadget, SafeSEH=False). Presence of this address in a crash context is a strong exploit indicator.
  • Shellcode in the PoC calls kernel32.dll FatalAppExit() (address 0x7c861bb2 in the sample); monitor for ImageMagick child processes invoking FatalAppExit or spawning unexpected message boxes.
  • ·The SEH gadget address (0x74c82f4f in OLEACC.dll) and shellcode addresses (e.g., FatalAppExit at 0x7c861bb2) are specific to the Windows XP/2003 environment used in the PoC and will differ on other OS versions or patch levels.
  • ·Red Hat states this CVE did not affect ImageMagick as shipped with RHEL 5, 6, or 7, nor OpenShift Enterprise 1 or 2; detection efforts on those platforms may yield no results.
  • ·The exploit notes 'there are at least two possible offsets -- 1 for file->open and 1 for the open file menubar button', meaning the junk offset (62504) may vary depending on the trigger path used.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
vendor_cisco8.5HIGH
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.