A new security vulnerability, identified as CVE-2023-44443, has been discovered in the popular open-source image manipulation program, GIMP (GNU Image Manipulation Program). This vulnerability allows remote attackers to execute arbitrary code on affected installations of the software. The target user must visit a malicious page or open a malicious file for this vulnerability to exploit. This post discusses the details of this vulnerability, including the attack vector, code snippets, and links to original references.
Description
The particular flaw resides in the way GIMP parses PSP (Paint Shop Pro) files. The issue stems from the insufficient validation of user-supplied data, which may lead to an integer overflow before writing to memory. This vulnerability allows a malicious actor to execute code in the context of the current user's running process. The original vulnerability designation for this issue was ZDI-CAN-22096.
Attack Vector
To exploit this vulnerability, an attacker would need to craft a malicious PSP file and persuade the target victim to visit a malicious website or directly open the malicious file. Upon opening the malicious file, the attacker would be able to execute arbitrary code, potentially gaining access to sensitive information, modifying data, or compromising the target device.
Below is a simple example of a vulnerable code snippet when parsing a PSP file
uint32_t width, height;
read_uint32_t(&width, input_buffer);
read_uint32_t(&height, input_buffer);
uint64_t pixel_count = (uint64_t) width * height;
uint32_t bpp; // bits per pixel
read_uint32_t(&bpp, input_buffer);
uint64_t size = (pixel_count * bpp) / 8;
unsigned char *data = (unsigned char *)malloc(size); // Integer overflow happens here
if (data != NULL) {
read_data(data, size, input_buffer);
process_image_data(data, width, height, bpp);
free(data);
}
In this example, the code reads the width and height of the image from the input buffer. It then calculates the number of pixels by multiplying the width and height. Afterward, it reads the bits per pixel (bpp) and calculates the size of the image data in bytes. Finally, the code allocates memory for the image data and processes the data.
However, the code does not properly validate the input data, which may result in an integer overflow when calculating the size variable. This may lead to a buffer overflow during the memory allocation, allowing the attacker to execute arbitrary code.
Exploit Details
In order to exploit this vulnerability, an attacker would need to create a malicious PSP file with carefully crafted width, height, and bpp values. These values would be designed to trigger an integer overflow when calculating the size of the image data, ultimately leading to a buffer overflow and arbitrary code execution.
Upon successfully creating a malicious PSP file, the attacker would need to distribute it to the target victim, either through email attachments, embedded in web pages or other file-sharing methods. Once the user opens the malicious file in GIMP, the exploit would be triggered, and the attacker can execute arbitrary code in the context of the current process.
Mitigation & Recommendations
The GIMP development team has been notified of this vulnerability, and a patch is expected to be released to address the issue. Users are advised to verify the origin of PSP files before opening them in GIMP and avoid downloading files from untrusted sources.
Original References
1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44443
2. Zero Day Initiative (ZDI) Advisory: https://www.zerodayinitiative.com/advisories/ZDI-22-096/
3. GIMP Official Website: https://www.gimp.org/
Conclusion
The CVE-2023-44443 vulnerability in GIMP highlights the importance of proper input validation and handling of user-supplied data when parsing files. Users should remain vigilant when dealing with potentially malicious files and follow security best practices to protect their systems and personal information.
Timeline
Published on: 05/03/2024 03:16:00 UTC
Last modified on: 07/08/2024 17:02:44 UTC