关联漏洞
标题:
ImageMagick 安全漏洞
(CVE-2022-44268)
描述:ImageMagick是美国ImageMagick公司的一套开源的图像处理软件。该软件可读取、转换或写入多种格式的图片。 ImageMagick 7.1.0-49版本存在安全漏洞,该漏洞源于存在信息泄露漏洞,当它在解析PNG图像时生成的图像可能会嵌入任意文件内容。
描述
Detect images that likely exploit CVE-2022-44268
介绍
# cve-2022-44268-detector - detect malicious PNGs
cve-2022-44268-detector is a Go program that consumes PNGs and reports whether they appear to be malicious images generated by an exploit for [CVE-2022-44268][cve-2022-44268], an ImageMagick vulnerability that allows attackers to read arbitrary file contents using specially crafted images.
[cve-2022-44268]: https://www.metabaseq.com/imagemagick-zero-days/
## Installation
To install cve-2022-44268-detector, use `go install`:
```
$ go install github.com/jnschaeffer/cve-2022-44268-detector@latest
```
## Warning
**Please be careful** when working with untrusted data. An attacker can
craft a png chunk that may contain non-zlib data (such as a shell script,
or code that exploits a bug in your detection workflow). Accidentally
writing attacker-supplied code to a terminal or to a shell can result in
execution of malicious code. It is strongly recommended that the detector
be executed in a virtual machine or isolated compute environment to help
mitigate such security failures.
## Usage
cve-2022-44268-detector is a command line application. You can run it as follows:
```
$ cve-2022-44268-detector -filename image.png
***POTENTIAL INDICATOR OF COMPROMISE*** - keyword: 'Raw profile type' | compressed: true | id: 0 | offset: 0x72 | len: 666
```
Users may optionally output the contents of each exfiltrated chunk to stdout
by supplying the `-print` argument. *Please note* that each chunk's value is
likely binary, zlib-compressed data (i.e., not human-readable). Users are
strongly advised to redirect this data to a file.
**Note: Be very careful when using `-print`.** Untrusted pngs may contain data
that, if exposed to a terminal or shell, could be interpreted as executable
code. Please take appropriate precautionary measures when using this feature.
The `-print` argument accepts the following values:
- `raw` - Write the chunk's value as-is to stdout
- `decompress` - Decompress the chunk's value prior to writing it to stdout
- `decompress-hexdecode` - Decompress and hex-decode the chunk's value
prior to writing it to stdout. ImageMagick appears to first hex-encode
and then compress the data using zlib compression
```
$ cve-2022-44268-detector -filename image.png -print raw > /tmp/out
***POTENTIAL INDICATOR OF COMPROMISE*** - keyword: 'Raw profile type' | compressed: true | id: 0 | offset: 0x72 | len: 666
$ hexdump -C /tmp/out
```
## Exit status
- On detection: 0
- On no detection: 10
- On any other error: 1
文件快照
[4.0K] /data/pocs/5eef0d2b2f612c427ea8c96a01defdfaf62065d2
├── [4.0K] cmd
│ └── [4.0K] pluck
│ └── [5.8K] main.go
├── [ 63] go.mod
├── [4.0K] internal
│ ├── [4.0K] image
│ │ └── [4.0K] png
│ │ ├── [ 958] fuzz.go
│ │ ├── [1.4K] LICENSE
│ │ ├── [1.7K] paeth.go
│ │ ├── [ 29K] reader.go
│ │ └── [ 15K] writer.go
│ └── [4.0K] imutil
│ ├── [ 106] doc.go
│ └── [2.3K] pngutil.go
├── [ 11K] LICENSE
├── [3.2K] main.go
└── [2.4K] README.md
6 directories, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。