A Vulnerability to Hack The World - CVE-2023-4863
5,811Citizenlab discovered BLASTPASS, a 0day being actively exploited in the image format WebP. Known as CVE-2023-4863 and CVE-2023-41064, an issue in webp's build huffman table function can lead to a heap buffer overflow. This vulnerability is very interesting and I'm excited to share with you what I learned.
Want to learn hacking? Signup to https://hextree.io (ad)
Buy my shitty font: https://shop.liveoverflow.com/ (ad)
WebP Fix Commit: https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a
Citizenlab: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
Ben Hawkes: https://blog.isosceles.com/the-webp-0day/
Software Updates
Apple https://support.apple.com/en-gb/106361
Chrome https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
Firefox https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
Android https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
Whose CVE is it Anyway? https://adamcaudill.com/2023/09/14/whose-cve-is-it-anyway/
References:
2014 bug introduction https://github.com/webmproject/libwebp/commit/f75dfbf23d1df1be52350b1a6fc5cfa6c2194499
https://www.youtube.com/watch?v=JsTptu56GM8
https://www.youtube.com/watch?v=B3y0RsVCyrw
https://www.youtube.com/watch?v=EFUYNoFRHQI
https://www.youtube.com/watch?v=iEm1NRyEe5c
https://stackoverflow.com/questions/13804629/huffman-code-with-lookup-table
https://web.archive.org/web/20230204211844/https://commandlinefanatic.com/cgi-bin/showarticle.cgi?article=art007
enough.c https://github.com/madler/zlib/blob/develop/examples/enough.c
Thanks to:
https://twitter.com/mistymntncop
https://twitter.com/benhawkes
Chapters:
00:00 - Intro to CVE-2023-4863
01:32 - Most Valuable Vulnerability?
03:02 - Heap Overflow Related to Huffman Trees
03:58 - Learning about Huffman Codes
06:24 - What are Huffman Tables?
10:24 - Hardcoded Table Sizes (enough.c)
12:21 - Code Walkthrough - BuildHuffmanTable()
13:04 - The code_lengths[] and count[] Arrays
15:14 - Difference Between Compression and Decompression!
17:04 - Outro
=[ ❤️ Support ]=
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
2nd Channel: https://www.youtube.com/LiveUnderflow
=[ 🐕 Social ]=
→ Twitter: https://twitter.com/LiveOverflow/
→ Streaming: https://twitch.tvLiveOverflow/
→ TikTok: https://www.tiktok.com/@liveoverflow_
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/