ImageMagick's MSL: Stack overflow in ProcessMSLScript

Vulnerability

Description

ImageMagick, a widely used open-source software suite for image manipulation, contains a vulnerability in the way it processes Magick Scripting Language (MSL) files. Prior to versions 7.1.2-15 and 6.9.13-40, the software fails to check for circular references between two MSLs. This oversight causes a recursive loop that leads to a stack overflow, potentially resulting in a crash or denial of service [2][4].

Exploitation

The vulnerability is triggered when ImageMagick processes a crafted MSL file that references another MSL, which in turn references the first, creating a circular dependency. The attack vector is through the processing of specially crafted image files that include malicious MSL instructions. No authentication is required; an attacker can deliver the crafted file through any mechanism supported by ImageMagick, such as direct file input or via a web service that uses ImageMagick for image processing [4]. The stack overflow occurs as the recursive calls between MSLStartElement, ReadImage, ReadMSLImage, ProcessMSLScript, and xmlParseChunk exhaust the call stack [4].

Impact

Successful exploitation leads to a stack overflow, primarily resulting in a denial of service (DoS) condition. The application crash may prevent legitimate image processing operations. While the advisory does not mention remote code execution, the nature of a stack overflow could potentially be leveraged for further exploitation under specific circumstances, though this is not confirmed [2][4].

Mitigation

The vulnerability has been patched in ImageMagick versions 7.1.2-15 and 6.9.13-40. Users are strongly advised to update to these patched versions or later. As a general security measure, it is also recommended to implement a security policy suitable for the local environment to restrict potentially dangerous operations [1][2][4].