Wednesday, February 1, 2023
HomeCyber SecurityResearchers Uncover New Bugs in Common ImageMagick Picture Processing Utility

Researchers Uncover New Bugs in Common ImageMagick Picture Processing Utility


Feb 01, 2023Ravie LakshmananVulnerability

Cybersecurity researchers have disclosed particulars of two safety flaws within the open supply ImageMagick software program that would probably result in a denial-of-service (DoS) and data disclosure.

The 2 points, which have been recognized by Latin American cybersecurity agency Metabase Q in model 7.1.0-49, have been addressed in ImageMagick model 7.1.0-52, launched in November 2022.

A quick description of the failings is as follows –

  • CVE-2022-44267 – A DoS vulnerability that arises when parsing a PNG picture with a filename that is a single sprint (“-“)
  • CVE-2022-44268 – An info disclosure vulnerability that might be exploited to learn arbitrary information from a server when parsing a picture

That stated, an attacker should be capable of add a malicious picture to a web site utilizing ImageMagick in order to weaponize the failings remotely. The specifically crafted picture, for its half, will be created by inserting a textual content chunk that specifies some metadata of the attacker’s selection (e.g., “-” for the filename).

ImageMagick Image Processing
ImageMagick Image Processing

“If the required filename is ‘-‘ (a single sprint), ImageMagick will attempt to learn the content material from normal enter probably leaving the method ready without end,” the researchers stated in a report shared with The Hacker Information.

In the identical method, if the filename refers to an precise file positioned within the server (e.g., “/and so on/passwd”), a picture processing operation carried out on the enter might probably embed the contents of the distant file after it is full.

This isn’t the primary time safety vulnerabilities have been found in ImageMagick. In Might 2016, a number of flaws have been disclosed within the software program, certainly one of which, dubbed ImageTragick, might have been abused to realize distant code execution when processing user-submitted photographs.

A shell injection vulnerability was subsequently revealed in November 2020, whereby an attacker might insert arbitrary instructions when changing encrypted PDFs to photographs through the “-authenticate” command line parameter.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments