Heap Buffer Overflow in libwebp in Google Chrome - CVE-2023-4863
PreviousCVE-2023-48795 Zafiyeti ve Bazı Mitigation Adımlarının GerçekleştirilmesiNextHTTP/2 ‘Rapid Reset’ DDoS atağı CVE-2023-44487
Last updated
Last updated
Use what I'm about to say in this article only for the right purposes, such as raising security awareness and improving the security posture of your environments. I do not accept any responsibility for other uses.
WebP is an open-source image format developed by Google. WebP enables higher quality images in smaller file sizes. The libwebp package, released by Google, encodes and decodes images in WebP format and is used widely across the internet for lossless image compression.
The image parsing library libwebp is the core of the recently identified heap buffer overflow vulnerability and zero-day exploit that impacts Google Chrome and other Chromium-based browsers for Windows, macOS, and Linux, as well as any software or web application that uses the libwebp library. (Source:)
In Google Chrome, versions before 116.0.5845.187 and libwebp 1.3.2 are affected by these vulnerabilities. Chromium security severity is Critical.
Since many applications use the webp library, many applications are affected by this vulnerability and the CVSS score is 8.8. Here are some apps that may be affected.
Category
Products
Web Browsers
Google Chrome, Safari, Microsoft Edge, Mozilla Firefox, Tor, Beaker (web browser), GNOME Web, Midori, OhHai Browser, Pale Moon, SEOBrowse
Social Media
Discord, Facebook, Instagram, Linked, Pinterest, Reddit, Telegram, Twitter, WhatsApp,
Video Platforms
Lbry, Twitch, Vimeo, YouTube, YTMDesktop App
Cloud Storage
Amazon Photos, Dropbox, Google Drive, Google Photos
Ecommerce
Amazon, Ebay, Etsy, Shopify, WooCommerce
CMS
Drupal, Joomla, MediaWiki, WordPress
Email Services
Gmail
Forum Software
PHPBB, vBulletin, XenForo
Photo Editing
GDAL, GIMP, Graphic Converter, ImageMagick, Paint.NET, Photoshop, Photoshop and Picasa, Pixelmator, XnView
Game Engines
Godot Engine, Unreal Engine, Unity
Desktop Software
1Password, Basecamp 3, Bitwarden, Blender, Cryptocat (discontinued), Discord, Discord RPC Maker, Electron App Store (Unofficial), Etcher,
Web Servers
Apache, IIS, nginx
Major Companies
Facebook, Google, Slack, Wikimedia, WordPress.com
So let's perform the POC of this vulnerability.
Let's download the libwebp library from Google source.
Let's go to the webp_test folder.
Then, let's move on to the relevant commit.
Let's enable AddressSanitizer (ASan). This tool helps detect address corruption errors in C and C++ programs.
Let's compile the makefile.unix file.
At this point you may encounter errors that some files are missing. I will show what I encountered in words and share the commands that will solve it.
Let's install libjpeg-dev.
Then install libpng-dev
Install the libtiff-dev.
Then, compile the makefile.unix file again.
Then, go to the examples folder.
Let's download the C source code named craft.c.
Let's compile the C source code named craft.c. As a result of the compiled code, it will give us an output file named craft.
Let's give the bad.webp image as input to the craft file.
Then let's run our last command.
Heap buffer overflow occurs exactly at this stage.
The output shows us that the dwebp program encountered a heap buffer overflow. This means that the program is trying to write data to a memory location that it is not allowed to access. Our AddressSanitizer (ASan) debugger tool worked as we expected and informed us that heap buffer overflow had occurred. The error occurs in the BuildHuffmanTable function, which is part of the WebP library.
As we see in the error description, it occurs in the memory area at 0x626000002f28.
In the section below, we see the function that triggered the error. That is, the BuildHuffmanTable function.
AddressSanitizer uses Shadow Bytes when doing this debugging. Shadow Bytes can basically be thought of as a copy of the real memory, and when an error occurs, AddressSanitizer works on shadow bytes and carries information about the values of the relevant address blocks in memory at the time the error occurred.
(List source: )
-> -> -> ->
