CVE-2023-44443 - GIMP PSP File Parsing Integer Overflow Remote Code Execution Explained
GIMP, the popular free and open-source image editor, recently patched a serious security flaw known as CVE-2023-44443 (also tracked as ZDI-CAN-22096). This long-read post breaks down what you need to know about the vulnerability, how it could be exploited, and how to stay safe. We’ll keep it simple and clear, with original references and a close look at the technical details.
What Is CVE-2023-44443?
CVE-2023-44443 is a remote code execution vulnerability in GIMP, triggered by how the application parses Paint Shop Pro (PSP) files. If an attacker convinces a user to open a specially crafted PSP file, malicious code can execute on the user’s system with their privileges—putting personal files and system integrity at risk.
How Does the Vulnerability Work?
The issue starts with improper validation of user-supplied data when GIMP parses a PSP file. Here’s a simplified breakdown:
PSP File Structure Parsing: GIMP reads header & image data sizes from the file.
2. Integer Overflow Risk: A malicious file reports image dimensions (width, height) so large that when multiplied, the value overflows the storage limit (e.g., a 32-bit integer wraps to a small, non-suspicious value).
Memory Misallocation: The application allocates a small buffer due to the overflowed value.
4. Buffer Overflow: GIMP tries to copy more data (controlled by attacker) than the buffer can handle, leading to corruption.
5. Arbitrary Code Execution: Carefully crafted data can hijack execution flow, running attacker code.
Code Snippet: Roots of the Integer Overflow
Here’s a simplified code sample, for illustration, similar to what the vulnerable GIMP plug-in might have done:
uint32_t width, height;
// values parsed directly from file, no validation
fread(&width, sizeof(width), 1, psp_file);
fread(&height, sizeof(height), 1, psp_file);
// Compute size for the image data
uint32_t total_pixels = width * height;
// ... Use total_pixels to malloc a buffer
uint8_t *image_data = malloc(total_pixels);
// Now, read total_pixels bytes into buffer
fread(image_data, 1, total_pixels, psp_file);
If width and height are large enough that width * height exceeds the maximum value for uint32_t (4,294,967,295), it wraps around, so total_pixels is small, malloc allocates a tiny buffer, but fread (based on attacker-controlled values) reads a much larger chunk—overflow!
The attacker crafts a .psp file with huge dimensions
import struct
with open('malicious.psp', 'wb') as f:
# PSP magic bytes and header omitted for clarity
f.write(struct.pack('<I', x40000010)) # huge width
f.write(struct.pack('<I', x40000010)) # huge height
# Add lots of controlled bytes after header...
f.write(b'A' * 100000) # actual exploit code/instructions
3. Execution
When GIMP opens this PSP file, the integer overflow causes a small allocation and a huge buffer overrun, letting the attacker's code take control.
References and Patch
- CVE-2023-44443 at NIST
- Zero Day Initiative Advisory (ZDI-CAN-22096) *(link may update after publication)*
- Official GIMP Security Notice *(Check release notes for mentions of PSP fix)*
- GIMP GitLab Patch
How to Stay Safe?
- Update GIMP: Always use the latest version from gimp.org.
Be Cautious: Never open unknown image files, even if they have friendly extensions like .psp.
- Disable PSP Plug-In: If you don't use Paint Shop Pro files, you may consider disabling or removing the PSP import plug-in.
Conclusion
CVE-2023-44443 shows how even simple image files can become vehicles for dangerous attacks. Open-source projects like GIMP can be especially vulnerable due to a large codebase and diverse plug-in ecosystem. The best protection? Stay vigilant, keep software updated, and be careful with files from unknown sources.
Stay safe, and always keep your tools up to date!
If you found this helpful, share to inform fellow designers and editors—security is everyone’s responsibility!
Timeline
Published on: 05/03/2024 03:16:00 UTC
Last modified on: 07/08/2024 17:02:44 UTC