Researchers at Metabase Q discovered a couple of security vulnerabilities in the open-source image manipulation software ImageMagick that could potentially lead to information disclosure or trigger a Denial of Service (DoS) condition (CVE-2022-44268, CVE-2022-44267).
ImageMagick is a free and open-source software suite for displaying, converting, and editing raster image and vector image files.
The CVE-2022-44267 vulnerability is a DoS issue that can be triggered when parsing a PNG image with a filename that is a single dash (“-“).
“When ImageMagick parses a PNG file, for example in a resize operation when receiving an image, the convert process could be left waiting for stdin input leading to a Denial of Service since the process won’t be able to process other images.” reads the advisory published by Metabase Q. “A malicious actor could craft a PNG or use an existing one and add a textual chunk type (e.g., tEXt). These types have a keyword and a text string. If the keyword is the string “profile” (without quotes) then ImageMagick will interpret the text string as a filename and will load the content as a raw profile. If the specified filename is “-“ (a single dash) ImageMagick will try to read the content from standard input potentially leaving the process waiting forever.”
The CVE-2022-44268 vulnerability is an information disclosure flaw that can be exploited to read arbitrary files from a server when parsing an image. When the software parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary remote file (if the ImageMagick binary has permissions to read it).
“When ImageMagick parses the PNG file, for example in a resize operation, the resulting image could have embedded the content of an arbitrary remote file from the website (if magick binary has permissions to read it).” continues the advisory. “A malicious actor could craft a PNG or use an existing one and add a textual chunk type (e.g., tEXt). These types have a keyword and a text string. If the keyword is the string “profile” (without quotes) then ImageMagick will interpret the text string as a filename and will load the content as a raw profile, then the attacker can download the resized image which will come with the content of a remote file.”
In order to remotely exploit the issues, an attacker must upload a specially crafted image to a website using the ImageMagick software. The attacker can craft the image by inserting a text chunk that specifies some metadata such as the filename, which must be set to “-” for exploitation.
The two vulnerabilities affect ImageMagick version 7.1.0-49 of the software, they were addressed in with the release of version 7.1.0-52 on November 2022.
Vulnerabilities on open-source libraries like ImageMagick are very dangerous and can be exploited by attackers in the wild.
In Mat 2016, the security researcher John Graham-Cumming from CloudFlare asserted that his firm recently discovered a critical vulnerability, code-named CVE-2016-3714 (or ImageTragick), in the popular image manipulation software, ImageMagick.
The flaw could be exploited by hackers to take over websites running the widely used image-enhancing app. The vulnerability in ImageMagick App allows attackers to run arbitrary code on the targeted web servers that rely on the app for resizing or cropping user-uploaded images.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ImageMagick)