Introduction

Denial Of Service in ImageMagick 7.1.0–49 has been found and registered as #CVE-2022-44267.

This is pretty much related to the other #CVE-2022-44268 which was about Arbitrary Remote Leak.

In this blog, I will not dive into details about the execution flow or the debugging since it’s already explained here:

https://www.vicarius.io/vsociety/blog/cve-2022-44268-arbitrary-remote-leak-in-imagemagick

Also, you can find the lab building guide in the blog above.

Background Story

This is part 2 of the ImageMgaick CVEs series, I won’t go exactly as deep as part 1, however, I’m still going to explain the code and where this vulnerability happened.

Reproduce the DoS vulnerability

• First, you have to create the payload by embedding the “profile” keyword along with a sign “-” (without quotes) as text, to do that we will use pngcrush tool.

  pngcrush -text a "profile" "-" dosit.png

  
  This will generate a new image named “pngout.png” with the sign embedded inside it.

  
  

  

Here we can see the differences between both the original image and the new malicious one.

The original image:

The malicious image:

• Trigger the exploitation with the following command:

  
  convert pngout.png DoS.png 
  
  

  

and you can notice that there are no results, no converted image, and the prompt just hanging there.

and this is because it’s waiting to read from stdin

I used gdb to attach the convert running process.

• check the running process ps -aux 

  
  

  

• Run GDB with the running process sudo gdb -p 2091

  
  

  

“read.c” file is part of the GNU C Library (glibc), a collection of programming libraries that provide basic functionalities for many programs running on Linux systems, and it contains the implementation of the “read” system call for Linux systems. The “read” system call is used to read data from a file descriptor, such as a file or a socket, into a buffer in memory. The implementation in “read.c” provides the low-level functionality that programs use when calling the “read” function in their code.

So now we can understand that something happened along the way that made this program hang in there waiting to read something.

Static Analysis

From the Arbitrary Remote Leak blog CVE-2022-44268, we understood how the execution happened.

• So we know that first of all the image will go through ReadOnePNGImage which will process and read the image.

• Here where the function reads the text chunk.

  
  

  

• In the previous image, at line 3986 where we have the SetImageProperty function called.

• Right-click on the function name SetImageProperty then “Go to Definition”, this will take you to the function in property.c

  
  

  

• Scroll down at number line 4711 you will find, the if condition where it checks if the “profile” keyword existed or not.

  
  

  

• The code will hit line 4722 where FileToStringInfo is called, with the same F12 or “Go to Definition” you can follow the function to where it’s defined.

  
  

  

• At line 1017, we have the FileToBlob function, follow it.

• Here is where it gets interesting because the code basically checks if the filename contains “-” it will take stdin input which means it will wait forever, and that’s how the DoS got achieved.

  
  

  

To have more fun, let’s lunch GDB as follows:

• Lunch it with convert
  

  gdb convert
  lay n

  
  Click Enter twice

  
  

  

• set a breakpoint at line number 1437 in blob.c

  
  break blob.c:1437 

  
  

  

• Now run the program

  
  run pngout.png DoS.png

• Here you go, it stopped at the breakpoint, and we can see down there that the code read the “-” sign.

  
  

  

• Now, let’s go step by step

  
  

  

• Now it will go to locale.c and LocaleCompare will be called

  
  

  

• Now the lseek64.c will be used

“sysdeps/unix/sysv/linux/lseek64.c” is a C source code file that is part of the GNU C Library (glibc), a collection of programming libraries that provide basic functionalities for many programs running on Linux systems.

The “lseek64.c” file contains the implementation of the “lseek” system call for Linux systems. The “lseek” system call is used to change the current position of the file offset of a file descriptor. The “64” in the file name indicates that this implementation supports large files on systems where the off_t type is only 32 bits, as is the case on some older systems.

• Keep hitting “s” and “n” you will go through some headers.

• I have to give a warning here when the program reaches line 1471

blob=(unsigned char *) AcquireQuantumMemory(quantum,sizeof(*blob));

move with “n” and don’t use “si” because this function is for memory allocation and at least for me, I went down a rabbit hole with this.

• At this point, I had to add a new breakpoint at blob.c:1472

/usr/include/x86_64-linux-gnu/bits/unistd.h is a header file in the Linux operating system that defines various constants and data types used by the unistd.h header file. The unistd.h header file provides access to various system services, such as I/O, process control, and system calls, and is included by many C and C++ programs.

The bits/unistd.h header file is specific to the x86_64 architecture.

Some of the constants and data types defined in /usr/include/x86_64-linux-gnu/bits/unistd.h include:

• STDIN_FILENO, STDOUT_FILENO, and STDERR_FILENO, which define the file descriptors for standard input (this is what’s interesting for us), standard output, and standard error, respectively.

• Using Step and Step-in and you can notice that we hit the read.c and the program now is waiting for a stdin input.

Mitigation

Update ImageMagick to the latest version.

Final Thoughts

There is an overlap between this CVE and the other File Leak vulnerability, however, this is also interesting and I’m more interested if there is a possibility somewhere to achieve RCE from the stdin input.

Resources

• https://www.metabaseq.com/imagemagick-zero-days/

• https://www.vicarius.io/vsociety/blog/cve-2022-44268-arbitrary-remote-leak-in-imagemagick

In this blog, we are going to take a ride check on the DoS that has been found in ImageMagick CVE-2022-44267. We will not be diving too much into the details, but make no mistake we will be having fun :D.