Short Summary
The primary mistake made by the WebP image format was over-reliance on the output from a tool called enough.c to calculate maximum possible table sizes. The author identifies potential vulnerabilities in other image formats, such as JPEG, due to incorrectly assumed or malformed input, which could lead to exploitation by malicious users.
Key Points
- The WebP format mistakenly trusted the results from
enough.c for calculating table sizes. - There is concern about other image formats or compression tools relying on similar outputs.
- Research involved examining C code on GitHub to identify instances where
enough.c was referenced. - A specific instance was found in the JPEG Huffman decode header, which included a hardcoded maximum table size.
- The assumption that input JPEG files will adhere to standards can be broken by maliciously crafted files.
- This suggests a potential vulnerability that could be exploited by attackers targeting image formats.
Youtube Channel: LiveOverflow
Video Published: 2024-09-30T14:00:17+00:00
Video Description:
Want to learn more about hacking? Checkout our courses on https://www.hextree.io (ad)
I have spent many hours looking at the webp vulnerability used in the 0day attack against iPhones. In the past videos we have seen why fuzzers have a hard time finding the issue, so I wanted to understand how this was discovered. And I think I have a good theory!
,
Part 1: Huffman Tables https://youtu.be/lAyhKaclsPM
Part 2: Fuzzing libwebp https://youtu.be/PJLWlmp8CDM
Sources:
https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
https://googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html
https://googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html
https://googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html
https://github.com/seemoo-lab/frida-scripts/blob/main/scripts/libdispatch.js
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
https://citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022/
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
https://github.com/libjxl/libjxl/blob/4b9dbde293f7f282b6952a02340300abfca2b184/lib/jxl/huffman_table.cc#L51
https://github.com/webmproject/libwebp/blob/7861947813b7ea02198f5d0b46afa5d987b797ae/src/dec/vp8l_dec.c#L86C3-L86C76
https://github.com/Tencent/mars/blob/9ab46e19ed3d4fcafe9d0de4b36547321f5ead83/mars/comm/windows/zlib/inftrees.h#L41
https://github.com/google/brunsli/blob/master/c/enc/jpeg_huffman_decode.h#L20
00:00 - Intro
01:18 - The iPhone Remote Attack Surface
02:49 - Targeting iMessage
04:04 - Dangerous Parsing / BlastDoor
06:53 - Image I/O and libwebp
08:11 - A Pattern of Image Vulnerabilities
09:28 - Huffman Tables are Everywhere!
10:50 - My Theory: known issue with enough.c
13:50 - Outro
=[ ❤️ Support ]=
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
2nd Channel: https://www.youtube.com/LiveUnderflow
=[ 🐕 Social ]=
→ Twitter: https://twitter.com/LiveOverflow/
→ Streaming: https://twitch.tv/LiveOverflow/
→ TikTok: https://www.tiktok.com/@liveoverflow_
→ Instagram: https://instagram.com/LiveOverflow/
→ Blog: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/