dChan
Anonymous ID: aa4fd6 Sept. 30, 2023, 1:38 p.m. No.19640631   🗄️.is 🔗kun   >>0830 >>1141 >>1214 >>1258 >>1267 >>1330

https://blog.isosceles.com/the-webp-0day/

 

The WEBP 0-day (security bug in webp processing, webp Google's new image format)

 

Early last week, Google released a new stable update for Chrome. The update included a single security fix that was reported by Apple's Security Engineering and Architecture (SEAR) team. The issue, CVE-2023-4863, was a heap buffer overflow in the WebP image library, and it had a familiar warning attached:

 

"Google is aware that an exploit for CVE-2023-4863 exists in the wild."

 

This means that someone, somewhere, had been caught using an exploit for this vulnerability. But who discovered the vulnerability and how was it being used? How does the vulnerability work? Why wasn't it discovered earlier? And what sort of impact does an exploit like this have?

Google's OSS-Fuzz project has fuzzed hundreds of open source libraries for many years now, including libwebp and many other image decoding libraries. It's possible to look in full detail at the code coverage for OSS-Fuzz projects, and it's clear that lossless support for WebP was being fuzzed extensively:

 

The problem, we now know, is that this format is incredibly complex and fragile, and the preconditions to trigger this issue are immense. Out of billions of possibilities, we have to construct a sequence of 4 valid Huffman tables that are maximally sized for two different alphabet sizes (280 and 256) before constructing a very specific type of invalid Huffman table for a third alphabet size (40). If a single bit is wrong at any stage, the image decoder throws an error and nothing bad happens.

 

 

What a coincidence.

 

 

The bad news is that exploits like this continue to have societal ramifications, and we can only guess how bad the situation really is. The truth is that nobody knows for sure, even the people with exploits.

 

The bad news is that Android is still likely affected. Similar to Apple's ImageIO, Android has a facility called the BitmapFactory that handles image decoding, and of course libwebp is supported. As of today, Android hasn't released a security bulletin that includes a fix for CVE-2023-4863 – although the fix has been merged into AOSP. To put this in context: if this bug does affect Android, then it could potentially be turned into a remote exploit for apps like Signal and WhatsApp. I'd expect it to be fixed in the October bulletin.

 

The bad news is that libwebp is used in a lot of places, and it could be a while until the patch reaches saturation. Also, the code is still very difficult to reason about, and we can't rely on fuzzers to find any other bugs that are lurking here.

 

Anons should disable webp support if possible.

Android phones are fucked, especially the ones without updates, which is 99% of them.

 

Any image can trigger this. Even an image sent via e-mail.

Anonymous ID: aa4fd6 Sept. 30, 2023, 1:57 p.m. No.19640771   🗄️.is 🔗kun   >>0781 >>0816

>>19640749

Holy fuck, why is my post about FUCKING WEBP-Images ignored?

 

Do you understand how serious this is?

Even 8kun allows uploading webp images.

 

Any software that can't get a patch is vulnerable to this glow nigger exploit shit.

Anonymous ID: aa4fd6 Sept. 30, 2023, 2 p.m. No.19640808   🗄️.is 🔗kun   >>0830 >>1141 >>1214 >>1258 >>1267 >>1330

>>19640781

Critical vulnerability in webp-image code, known for a few weeks now.

 

You understand what a webp image is?

It's a shitty Google image format, which is supported by basically all browsers, because it saves these assholes a bit of bandwidth, but costs you a bit more CPU power to decompress. And has exploits built into it.

 

Build a webp exploit image.Upload anywhere or send via e-mail and hack tons of computers and other devices.

 

Android phones that do not get patches anymore, but are still used, are fucked.

 

That may be the start of the digital corona pandemic.

Anonymous ID: aa4fd6 Sept. 30, 2023, 2:02 p.m. No.19640836   🗄️.is 🔗kun   >>0845

>>19640816

You send basically random data to a program or code of a program and see if it crashes.

 

Yes, that's idiotic, but it's done and people call that good security testing.

 

Of course this security issue is by pure chance hidden in a way that there is basically no chance it will get detected that way. That makes me think the bug is a glow nigger exploit bug, and was intentionally put there.

Anonymous ID: aa4fd6 Sept. 30, 2023, 2:04 p.m. No.19640849   🗄️.is 🔗kun   >>0865

>>19640816

>and nobody gives a shit about Android OS anyway

 

webp image support is in basically all browsers too.

Firefox

Microsoft Edge

Chrome

 

Do you understand how bad this actually is?

And this one even says that they can't be sure that there is not any more hiding.

 

You can't even disable support for this shit easily. You can modify accept-headers, but that doesn't stop web browsers from still sending you that shit.