Skip to content

jnschaeffer/cve-2022-44268-detector

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

28 Commits

cmd/pluck

cmd/pluck

 
 

internal

internal

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

go.mod

go.mod

 
 

main.go

main.go

 
 

Repository files navigation

cve-2022-44268-detector - detect malicious PNGs

cve-2022-44268-detector is a Go program that consumes PNGs and reports whether they appear to be malicious images generated by an exploit for CVE-2022-44268, an ImageMagick vulnerability that allows attackers to read arbitrary file contents using specially crafted images.

Installation

To install cve-2022-44268-detector, use go install:

$ go install github.com/jnschaeffer/cve-2022-44268-detector@latest

Warning

Please be careful when working with untrusted data. An attacker can craft a png chunk that may contain non-zlib data (such as a shell script, or code that exploits a bug in your detection workflow). Accidentally writing attacker-supplied code to a terminal or to a shell can result in execution of malicious code. It is strongly recommended that the detector be executed in a virtual machine or isolated compute environment to help mitigate such security failures.

Usage

cve-2022-44268-detector is a command line application. You can run it as follows:

$ cve-2022-44268-detector -filename image.png
***POTENTIAL INDICATOR OF COMPROMISE*** - keyword: 'Raw profile type' | compressed: true | id: 0 | offset: 0x72 | len: 666

Users may optionally output the contents of each exfiltrated chunk to stdout by supplying the -print argument. Please note that each chunk's value is likely binary, zlib-compressed data (i.e., not human-readable). Users are strongly advised to redirect this data to a file.

Note: Be very careful when using -print. Untrusted pngs may contain data that, if exposed to a terminal or shell, could be interpreted as executable code. Please take appropriate precautionary measures when using this feature.

The -print argument accepts the following values:

  • raw - Write the chunk's value as-is to stdout
  • decompress - Decompress the chunk's value prior to writing it to stdout
  • decompress-hexdecode - Decompress and hex-decode the chunk's value prior to writing it to stdout. ImageMagick appears to first hex-encode and then compress the data using zlib compression
$ cve-2022-44268-detector -filename image.png -print raw > /tmp/out
***POTENTIAL INDICATOR OF COMPROMISE*** - keyword: 'Raw profile type' | compressed: true | id: 0 | offset: 0x72 | len: 666
$ hexdump -C /tmp/out

Exit status

  • On detection: 0
  • On no detection: 10
  • On any other error: 1

About

Detect images that likely exploit CVE-2022-44268

Topics

imagemagick cve-2022-44268

Resources

Readme

License

Apache-2.0 license
Activity

Stars

5 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages