cbcvebase.
CVE-2017-16352
published 2017-11-01

CVE-2017-16352: GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage()…

PriorityP262high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
14.51%
96.2th percentile
GraphicsMagick 1.3.26 is vulnerable to a heap-based buffer overflow vulnerability found in the "Display visual image directory" feature of the DescribeImage() function of the magick/describe.c file. One possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debiangraphicsmagick< graphicsmagick 1.3.26-17 (bookworm)graphicsmagick 1.3.26-17 (bookworm)
graphicsmagickgraphicsmagick
graphicsmagickgraphicsmagick>= 0 < 1.3.26-171.3.26-17
graphicsmagickgraphicsmagick>= 0 < 1.3.26-171.3.26-17
graphicsmagickgraphicsmagick>= 0 < 1.3.26-171.3.26-17
graphicsmagickgraphicsmagick>= 0 < 1.3.26-171.3.26-17

Detection & IOCsextracted from sources · hover to see the quote

commandgm identify -verbose exploit.miff
filenameexploit.miff
filenamereadexploit.miff
pathmagick/describe.c
bytes
id=ImageMagick version=1.0\nclass=DirectClass matte=False\ncolumns=1 rows=1 depth=16\nscene=1\nmontage=1x1+0+0\n\x0c\n:\x1a
  • The heap overflow is triggered by a MIFF file with an overly long directory name (>2053 bytes) in the montage/directory field, exploiting the strncpy call at describe.c line 855 which does not bound-check against the 2053-byte filename buffer in ImageInfo.
  • Monitor invocations of the 'gm identify -verbose' command against MIFF files, especially those with montage headers and directory fields exceeding 2053 bytes.
  • In the heap overflow PoC, the crafted MIFF payload uses 10000 'A' bytes in the directory field, causing the ImageInfo struct fields (cache, definitions, attributes, blob, etc.) to be overwritten with 0x4141414141414141.
  • The memory leak PoC leaks the libc main arena pointer via the 'Priority:' field in verbose identify output; the libc base is calculated using offset 0x3c4b98 from the leaked value.
  • Vendor patches are changesets 15237:e4e1c2a581d8 and 15238:7292230dd18 in the GraphicsMagick Mercurial repository; absence of these changesets indicates a vulnerable installation.
  • ·The heap overflow PoC targets the static 2053-byte filename buffer in the ImageInfo struct; the overflow size and offsets are specific to GraphicsMagick 1.3.26 on x86_64 with libc-2.23.
  • ·The libc main arena offset used in the memory disclosure PoC (0x3c4b98) is specific to libc-2.23 on x86_64 and will differ on other libc versions or architectures.
  • ·The memory disclosure PoC may fail if the leaked pointer contains null bytes, as StringToList will corrupt the value; the PoC explicitly checks for this condition.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.