CVE-2022-44268 PoC — ImageMagick 安全漏洞

Source

https://github.com/jnschaeffer/cve-2022-44268-detector

Associated Vulnerability

Title:ImageMagick 安全漏洞 (CVE-2022-44268)
Description:ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).

Description

Detect images that likely exploit CVE-2022-44268

Readme

# cve-2022-44268-detector - detect malicious PNGs

cve-2022-44268-detector is a Go program that consumes PNGs and reports whether they appear to be malicious images generated by an exploit for [CVE-2022-44268][cve-2022-44268], an ImageMagick vulnerability that allows attackers to read arbitrary file contents using specially crafted images.

[cve-2022-44268]: https://www.metabaseq.com/imagemagick-zero-days/

## Installation

To install cve-2022-44268-detector, use `go install`:

```
$ go install github.com/jnschaeffer/cve-2022-44268-detector@latest
```

## Warning

**Please be careful** when working with untrusted data. An attacker can
craft a png chunk that may contain non-zlib data (such as a shell script,
or code that exploits a bug in your detection workflow). Accidentally
writing attacker-supplied code to a terminal or to a shell can result in
execution of malicious code. It is strongly recommended that the detector
be executed in a virtual machine or isolated compute environment to help
mitigate such security failures.

## Usage

cve-2022-44268-detector is a command line application. You can run it as follows:

```
$ cve-2022-44268-detector -filename image.png
***POTENTIAL INDICATOR OF COMPROMISE*** - keyword: 'Raw profile type' | compressed: true | id: 0 | offset: 0x72 | len: 666
```

Users may optionally output the contents of each exfiltrated chunk to stdout
by supplying the `-print` argument. *Please note* that each chunk's value is
likely binary, zlib-compressed data (i.e., not human-readable). Users are
strongly advised to redirect this data to a file.

**Note: Be very careful when using `-print`.** Untrusted pngs may contain data
that, if exposed to a terminal or shell, could be interpreted as executable
code. Please take appropriate precautionary measures when using this feature.

The `-print` argument accepts the following values:

- `raw` - Write the chunk's value as-is to stdout
- `decompress` - Decompress the chunk's value prior to writing it to stdout
- `decompress-hexdecode` - Decompress and hex-decode the chunk's value
  prior to writing it to stdout. ImageMagick appears to first hex-encode
  and then compress the data using zlib compression

```
$ cve-2022-44268-detector -filename image.png -print raw > /tmp/out
***POTENTIAL INDICATOR OF COMPROMISE*** - keyword: 'Raw profile type' | compressed: true | id: 0 | offset: 0x72 | len: 666
$ hexdump -C /tmp/out
```

## Exit status

- On detection: 0
- On no detection: 10
- On any other error: 1

File Snapshot


 [4.0K]  /data/pocs/5eef0d2b2f612c427ea8c96a01defdfaf62065d2
├── [4.0K]  cmd
│   └── [4.0K]  pluck
│       └── [5.8K]  main.go
├── [  63]  go.mod
├── [4.0K]  internal
│   ├── [4.0K]  image
│   │   └── [4.0K]  png
│   │       ├── [ 958]  fuzz.go
│   │       ├── [1.4K]  LICENSE
│   │       ├── [1.7K]  paeth.go
│   │       ├── [ 29K]  reader.go
│   │       └── [ 15K]  writer.go
│   └── [4.0K]  imutil
│       ├── [ 106]  doc.go
│       └── [2.3K]  pngutil.go
├── [ 11K]  LICENSE
├── [3.2K]  main.go
└── [2.4K]  README.md

6 directories, 12 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!