Vulnerabilities > CVE-2006-0082 - USE of Externally-Controlled Format String vulnerability in Imagemagick 6.2.3
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-045-03.NASL description New imagemagick packages are available for Slackware 10.2 and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20914 published 2006-02-15 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20914 title Slackware 10.2 / current : imagemagick (SSA:2006-045-03) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2006-045-03. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(20914); script_version("1.13"); script_cvs_date("Date: 2019/10/25 13:36:20"); script_cve_id("CVE-2005-4601", "CVE-2006-0082"); script_xref(name:"SSA", value:"2006-045-03"); script_name(english:"Slackware 10.2 / current : imagemagick (SSA:2006-045-03)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New imagemagick packages are available for Slackware 10.2 and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.341682 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?cb5a66ee" ); script_set_attribute( attribute:"solution", value:"Update the affected imagemagick package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:imagemagick"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:10.2"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"10.2", pkgname:"imagemagick", pkgver:"6.2.3_3", pkgarch:"i486", pkgnum:"2")) flag++; if (slackware_check(osver:"current", pkgname:"imagemagick", pkgver:"6.2.6_1", pkgarch:"i486", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200602-13.NASL description The remote host is affected by the vulnerability described in GLSA-200602-13 (GraphicsMagick: Format string vulnerability) The SetImageInfo function was found vulnerable to a format string mishandling. Daniel Kobras discovered that the handling of last seen 2020-06-01 modified 2020-06-02 plugin id 20979 published 2006-02-27 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20979 title GLSA-200602-13 : GraphicsMagick: Format string vulnerability code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200602-13. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(20979); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-0082"); script_xref(name:"GLSA", value:"200602-13"); script_name(english:"GLSA-200602-13 : GraphicsMagick: Format string vulnerability"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200602-13 (GraphicsMagick: Format string vulnerability) The SetImageInfo function was found vulnerable to a format string mishandling. Daniel Kobras discovered that the handling of '%'-escaped sequences in filenames passed to the function is inadequate in ImageMagick GLSA 200602-06 and the same vulnerability exists in GraphicsMagick. Impact : By feeding specially crafted file names to GraphicsMagick an attacker can crash the program and possibly execute arbitrary code with the privileges of the user running GraphicsMagick. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200602-06" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200602-13" ); script_set_attribute( attribute:"solution", value: "All GraphicsMagick users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=media-gfx/graphicsmagick-1.1.7'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:graphicsmagick"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/02/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/02/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-gfx/graphicsmagick", unaffected:make_list("ge 1.1.7"), vulnerable:make_list("lt 1.1.7"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "GraphicsMagick"); }NASL family Fedora Local Security Checks NASL id FEDORA_2007-1340.NASL description Maintainance update fixing several security issues and bugs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27710 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27710 title Fedora 7 : GraphicsMagick-1.1.8-2.fc7 (2007-1340) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-1340. # include("compat.inc"); if (description) { script_id(27710); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:25"); script_cve_id("CVE-2005-4601", "CVE-2006-0082", "CVE-2006-4144", "CVE-2006-5456", "CVE-2007-1797"); script_xref(name:"FEDORA", value:"2007-1340"); script_name(english:"Fedora 7 : GraphicsMagick-1.1.8-2.fc7 (2007-1340)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Maintainance update fixing several security issues and bugs. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-July/002982.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?626378b0" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-c++"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-c++-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:GraphicsMagick-perl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/31"); script_set_attribute(attribute:"patch_publication_date", value:"2007/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC7", reference:"GraphicsMagick-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-c++-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-c++-devel-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-debuginfo-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-devel-1.1.8-2.fc7")) flag++; if (rpm_check(release:"FC7", reference:"GraphicsMagick-perl-1.1.8-2.fc7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "GraphicsMagick / GraphicsMagick-c++ / GraphicsMagick-c++-devel / etc"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-024.NASL description The delegate code in ImageMagick 6.2.4.x allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command. (CVE-2005-4601) A format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3, and other versions, allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. (CVE-2006-0082) The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20818 published 2006-01-29 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20818 title Mandrake Linux Security Advisory : ImageMagick (MDKSA-2006:024) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1213.NASL description Several remote vulnerabilities have been discovered in Imagemagick, a collection of image manipulation programs, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2006-0082 Daniel Kobras discovered that Imagemagick is vulnerable to format string attacks in the filename parsing code. - CVE-2006-4144 Damian Put discovered that Imagemagick is vulnerable to buffer overflows in the module for SGI images. - CVE-2006-5456 M Joonas Pihlaja discovered that Imagemagick is vulnerable to buffer overflows in the module for DCM and PALM images. - CVE-2006-5868 Daniel Kobras discovered that Imagemagick is vulnerable to buffer overflows in the module for SGI images. This update also addresses regressions in the XCF codec, which were introduced in the previous security update. last seen 2020-06-01 modified 2020-06-02 plugin id 23662 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23662 title Debian DSA-1213-1 : imagemagick - several vulnerabilities NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200602-06.NASL description The remote host is affected by the vulnerability described in GLSA-200602-06 (ImageMagick: Format string vulnerability) The SetImageInfo function was found vulnerable to a format string mishandling. Daniel Kobras discovered that the handling of last seen 2020-06-01 modified 2020-06-02 plugin id 20896 published 2006-02-14 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20896 title GLSA-200602-06 : ImageMagick: Format string vulnerability NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-246-1.NASL description Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user last seen 2020-06-01 modified 2020-06-02 plugin id 21054 published 2006-03-13 reporter Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21054 title Ubuntu 4.10 / 5.04 / 5.10 : imagemagick vulnerabilities (USN-246-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0178.NASL description Updated ImageMagick packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A shell command injection flaw was found in ImageMagick last seen 2020-06-01 modified 2020-06-02 plugin id 21888 published 2006-07-03 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21888 title CentOS 3 / 4 : ImageMagick (CESA-2006:0178) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0178.NASL description Updated ImageMagick packages that fix two security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. ImageMagick(TM) is an image display and manipulation tool for the X Window System that can read and write multiple image formats. A shell command injection flaw was found in ImageMagick last seen 2020-06-01 modified 2020-06-02 plugin id 20922 published 2006-02-15 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/20922 title RHEL 2.1 / 3 / 4 : ImageMagick (RHSA-2006:0178)
Oval
| accepted | 2013-04-29T04:08:01.833-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:10717 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | Format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3 and other versions, and GraphicsMagick, allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20060301-01.U.asc
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=345876
- http://rhn.redhat.com/errata/RHSA-2006-0178.html
- http://secunia.com/advisories/18261
- http://secunia.com/advisories/18607
- http://secunia.com/advisories/18851
- http://secunia.com/advisories/18871
- http://secunia.com/advisories/19030
- http://secunia.com/advisories/19183
- http://secunia.com/advisories/19408
- http://secunia.com/advisories/22998
- http://secunia.com/advisories/23090
- http://secunia.com/advisories/28800
- http://securityreason.com/securityalert/500
- http://securitytracker.com/id?1015623
- http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.341682
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-231321-1
- http://www.debian.org/security/2006/dsa-1213
- http://www.gentoo.org/security/en/glsa/glsa-200602-06.xml
- http://www.gentoo.org/security/en/glsa/glsa-200602-13.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:024
- http://www.novell.com/linux/security/advisories/2006_06_sr.html
- http://www.securityfocus.com/archive/1/452718/100/100/threaded
- http://www.securityfocus.com/bid/12717
- http://www.ubuntu.com/usn/usn-246-1
- http://www.vupen.com/english/advisories/2008/0412
- https://issues.rpath.com/browse/RPL-389
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10717