Skip to content
/ xbmdump Public

Exploit for ImageMagick's uninitialized memory disclosure in xbm coder

Notifications You must be signed in to change notification settings

d0ge/xbmdump

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 

Repository files navigation

xbmdump

ReadXBMImage in coders/xbm.c in ImageMagick before 7.0.8-9 (https://github.com/ImageMagick/ImageMagick/commit/216d117f05bff87b9dc4db55a1b1fadb38bcb786) leaves data uninitialized when processing an XBM file that has a negative pixel value. If the affected code is used as a library loaded into a process that includes sensitive information, that information sometimes can be leaked via the image data. Exploit for ImageMagick's uninitialized memory disclosure in xbm coder. This exploit is based on https://github.com/neex/gifoeb source code.

How to

  1. Run ./xbmdump gen 128x128 dump.xbm. The script needs ImageMagick (default) or GraphicsMagick (use --tool GM) to generate the images.

  2. Change file extension from xbm to any in web server whitelist (png, gif, jpg, jpeg, etc.)

  3. Upload dump.gif somewhere. If the following conditions hold true

    1. A preview is generated
    2. It changes significantly from one upload to another

    then you're lucky.

  4. Download and save the preview as output.ext.

  5. Run ./xbmdump recover output.ext

About

Exploit for ImageMagick's uninitialized memory disclosure in xbm coder

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages