CVE-2023-44441 - Remote Code Execution in GIMP via DDS File Parsing (Heap-based Buffer Overflow)

Summary:
A critical vulnerability, tracked as CVE-2023-44441 (also ZDI-CAN-22093), was discovered in GIMP (GNU Image Manipulation Program). This bug allows attackers to execute arbitrary code on your machine whenever you open a specially crafted DDS (DirectDraw Surface) image. The problem lies in how GIMP parses DDS files: it doesn't check the size of certain chunks, leading to a heap-based buffer overflow. If you open a malicious DDS file (even from a trusted website or email), your system could be compromised.

Overview

GIMP is a popular, open-source graphics editor used worldwide. Like many image programs, GIMP supports a variety of file formats, including DDS, which is common in game textures and graphics work. Unfortunately, a flaw in how GIMP processes DDS files could allow an attacker to run code remotely—just by convincing someone to open a malicious image.

This makes *user interaction* (like opening an email attachment or dragging-and-dropping an image) the only thing required to exploit this vulnerability.

Where is the Problem?

The vulnerability comes from GIMP's DDS import plugin (file-dds.exe on Windows, or file-dds on Linux/Mac), which doesn’t properly validate chunk length fields when copying image data. If an attacker crafts a DDS file with an oversized or abnormal chunk, GIMP doesn't notice—and ends up copying too much data into a fixed-size heap buffer.

Result: Heap-based buffer overflow, allowing malware to overwrite key data in memory, control code flow, and execute attacker-controlled commands.

Code Snippet (Simplified, for Explanation)

// Vulnerable pseudo-code
char buffer[512];
int chunk_length = read_dds_chunk_length(file);
fread(buffer, chunk_length, 1, file);

// The problem: 'chunk_length' may be larger than 'buffer'!

In this simplified snippet, chunk_length is read from the file without checking if it is too large for the buffer. If an attacker sets chunk_length to - for example - 2048, the call to fread will overflow the buffer, corrupting the heap.

Real-World Exploitation

An attacker can create a malicious DDS file and lure a user to open it with GIMP. When GIMP tries to parse and display this file, the overflow happens. The attacker’s payload—embedded in the DDS file—is now able to execute in the context of GIMP's process.

This could mean data theft, malware installation, or even full system compromise, depending on your setup.

PoC: How an Exploit Works

*Important: The following is for educational and defensive purposes only!*

Imagine the attacker creates a DDS file where the chunk_length field is set to 2048, but the buffer in GIMP is only 512 bytes. When GIMP copies the image data, it writes beyond the buffer's end, and the extra data (which could be shellcode) gets loaded into memory and eventually executed.

Sample Exploit Flow (abstract)

# PoC DDS malformed header (pseudocode)
with open("exploit.dds", "wb") as f:
    f.write(b'DDS ')            # Magic bytes
    f.write(generate_header())  # Write normal header
    payload = b'\x90' * 512     # NOP sled
    payload += shellcode        # Malicious payload
    f.write(struct.pack('I', 2048))  # Overlarge chunk length!
    f.write(payload)
# Wherever opened: triggers heap corruption in GIMP

If opened by GIMP, this file could let the attacker execute any code they wish.

Affected Versions

- Confirmed: GIMP prior to fixed version/release.

Remediation

- Update GIMP: Always use the latest version. Download here

References

- GIMP Official Site & Downloads
- ZDI-23-1583 / ZDI-CAN-22093 Advisory
- CVE-2023-44441 in the NVD
- GIMP GitLab Security Issue (replace XXXX with issue number, if public)

Summary Table

| Category | Details |
|-------------------|--------------------------------|
| Vulnerability | Heap Buffer Overflow |
| Affected | GIMP DDS Plugin (all platforms) |
| Exploitability| Remote (user opens file) |
| Impact | Code Execution |
| CVE | CVE-2023-44441 |
| ZDI Ref. | ZDI-CAN-22093 |

Final Thoughts

With this vulnerability, simply opening the wrong image could cost you your system. When working with popular software like GIMP, always keep it up-to-date, and don’t trust files or links from unknown sources. If you don't need exotic image formats like DDS, consider disabling support for them.

Timeline

Published on: 05/03/2024 03:15:59 UTC
Last modified on: 06/05/2024 15:19:40 UTC