README
¶
cve-2022-44268-detector - detect malicious PNGs
cve-2022-44268-detector is a Go program that consumes PNGs and reports whether they appear to be malicious images generated by an exploit for CVE-2022-44268, an ImageMagick vulnerability that allows attackers to read arbitrary file contents using specially crafted images.
Installation
To install cve-2022-44268-detector, use go install:
$ go install github.com/jnschaeffer/cve-2022-44268-detector@latest
Warning
Please be careful when working with untrusted data. An attacker can craft a png chunk that may contain non-zlib data (such as a shell script, or code that exploits a bug in your detection workflow). Accidentally writing attacker-supplied code to a terminal or to a shell can result in execution of malicious code. It is strongly recommended that the detector be executed in a virtual machine or isolated compute environment to help mitigate such security failures.
Usage
cve-2022-44268-detector is a command line application. You can run it as follows:
$ cve-2022-44268-detector -filename image.png
***POTENTIAL INDICATOR OF COMPROMISE*** - keyword: 'Raw profile type' | compressed: true | id: 0 | offset: 0x72 | len: 666
Users may optionally output the contents of each exfiltrated chunk to stdout
by supplying the -print argument. Please note that each chunk's value is
likely binary, zlib-compressed data (i.e., not human-readable). Users are
strongly advised to redirect this data to a file.
Note: Be very careful when using -print. Untrusted pngs may contain data
that, if exposed to a terminal or shell, could be interpreted as executable
code. Please take appropriate precautionary measures when using this feature.
The -print argument accepts the following values:
raw- Write the chunk's value as-is to stdoutdecompress- Decompress the chunk's value prior to writing it to stdoutdecompress-hexdecode- Decompress and hex-decode the chunk's value prior to writing it to stdout. ImageMagick appears to first hex-encode and then compress the data using zlib compression
$ cve-2022-44268-detector -filename image.png -print raw > /tmp/out
***POTENTIAL INDICATOR OF COMPROMISE*** - keyword: 'Raw profile type' | compressed: true | id: 0 | offset: 0x72 | len: 666
$ hexdump -C /tmp/out
Exit status
- On detection: 0
- On no detection: 10
- On any other error: 1
Documentation
¶
Overview ¶
cve-2022-44268-detector is a Go program that consumes PNGs and reports whether they appear to be malicious images generated by an exploit for CVE-2022-44268, an ImageMagick vulnerability that allows attackers to read arbitrary file contents using specially crafted images.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
pluck
pluck attempts to parse all the files in a directory as pngs and extracts any tEXt and zTXt chunks matching a regex into an output directory.
|
pluck attempts to parse all the files in a directory as pngs and extracts any tEXt and zTXt chunks matching a regex into an output directory. |
|
internal
|
|
|
image/png
Package png implements a PNG image decoder and encoder.
|
Package png implements a PNG image decoder and encoder. |
|
imutil
Package imutil provides functionality for working with files created by ImageMagick.
|
Package imutil provides functionality for working with files created by ImageMagick. |