CVE-2023-44442 - GIMP PSD File Parsing Heap-Based Buffer Overflow Leads to Remote Code Execution

In late 2023, a critical vulnerability was identified in the GNU Image Manipulation Program (GIMP) relating to how it handles Photoshop (PSD) files. Tracked as CVE-2023-44442 (formerly ZDI-CAN-22094), this security flaw allows attackers to run arbitrary code on a victim's system simply by getting them to open a specially-crafted PSD file. This post will explain the vulnerability, show how it can be exploited, and provide code snippets and references for further reading.

What Is GIMP and Why Does It Matter?

GIMP is one of the most widely-used open-source image editors, popular for its powerful feature set and cross-platform support. Because GIMP is often used to handle various image file formats—including PSD, Adobe Photoshop’s native format—it can be a target for specially-crafted file attacks. These attacks can impact users ranging from graphic designers to organizations relying on GIMP for day-to-day tasks.

Vulnerability Overview

- CVE: CVE-2023-44442

Impact: Remote Code Execution (RCE) in the context of the user opening the file

- User Interaction: Yes; victim must open a malicious file or visit a page that triggers GIMP to open the file

Original Disclosure

This flaw was originally reported via the Zero Day Initiative as ZDI-CAN-22094.

Where’s the Bug?

The vulnerability lives in the PSD file parser in GIMP’s codebase. When handling certain metadata inside a PSD file, GIMP does not properly check if a user-provided length value is as small as it should be—before it copies data into a heap buffer. If an attacker creates a crafted PSD where the reported length value is very large, GIMP allocates a buffer that isn’t big enough and then copies even more data into it, causing a buffer overflow.

Such heap buffer overflows can let an attacker corrupt memory on the heap, control data structures, and eventually redirect execution to code of their choosing.

Example Vulnerable Code (Simplified Snippet)

// Parsing resource (simplified, real code in GIMP's PSD plugin)
uint32_t length;
fread(&length, 4, 1, fp); // Read user-supplied length
char *buffer = g_malloc(length); // Allocate buffer

// Incorrect: No check if fread will write more than allocated!
fread(buffer, 1, length, fp); // Attacker controls 'length' here

In the actual GIMP code, additional error-checking may exist, but the essence is that the length value is not properly validated before being trusted, causing the overflow.

How Could a Malicious Actor Exploit This?

To exploit CVE-2023-44442, an attacker needs to trick a user into opening a malicious PSD file. This can happen via:

Instant messaging: Sending the file over messaging platforms

Once the file is opened with a vulnerable GIMP version, the malicious file data overflows the allocated buffer and overwrites important data. With precise crafting, this allows embedded code inside the PSD to execute as the user running GIMP, potentially leading to data theft, malware installation, or system compromise.

Below is a simple conceptual pseudocode PoC for the malformed PSD file

# Create a PSD file with malformed length field
with open("exploit.psd", "wb") as f:
    f.write(b"8BPS")        # PSD signature
    f.write(b"\x00\x01")    # Version 1
    f.write(b"\x00"*6)      # Reserved
    # ... (necessary PSD headers)
    f.write(struct.pack(">I", x100000)) # Maliciously large resource block length
    f.write(b"A"*x100000) # Overrun the receiving buffer in GIMP's parser

In a real-world exploit, the attacker would place shellcode in the overflow data that gets executed as GIMP’s process.

Heap overflow occurs

4. Attacker's code (embedded in the PSD file) is triggered within the context of the victim's user account

Patching and Mitigation

GIMP developers have released patches that properly validate user-controlled length fields in PSD parsing routines. If you use GIMP, update to the latest version immediately from the official downloads page. If you’re on Linux, make sure your package manager provides the latest patched version.

Further References

- CVE-2023-44442 Report - NVD
- Zero Day Initiative advisory (ZDI-CAN-22094)
- GIMP Official News

Conclusion

CVE-2023-44442 is a textbook example of why careful handling of user-controlled data in file parsers is so important: a single missed check can lead to full system compromise. Always keep your software updated, be wary of files from unknown sources, and remember that even trusted apps can hide dangerous vulnerabilities.

Timeline

Published on: 05/03/2024 03:15:59 UTC
Last modified on: 05/03/2024 12:48:41 UTC