In reviewing the code, you would see the huffman_tables allocation being made during header parsing of a VP8L file, so naturally you would look to see how it's used. Ben wrote: “In practice, I suspect this bug was discovered through manual code review. Someone, or a group of people, must have taken it upon themselves to really dive into the code. Ben explained that even extensive fuzzing had never revealed the problem. It helps that libwebp is an open source library, so anyone interested can review the code. Let alone how hard it must have been when there was no clue that a vulnerability even existed. By creating specially crafted image files that tricked libwebp into creating tables that were too small to contain all the values, the data would overflow into other memory locations.Įven a weathered security expert like Ben Hawkes, who figured out where the problem was, had a hard time finding a way to exploit this issue. The vulnerable versions of libwebp use memory allocations based on pre-calculated buffer sizes from a fixed table, and then construct the necessary Huffman tables directly into that allocation. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. A lossless image format can store and restore pixels with 100% accuracy, and WebP does this using an algorithm called Huffman coding.Īs we saw in the vulnerability descriptions, both vulnerabilities were buffer overflow issues. Security expert Ben Hawkes figured out that the vulnerability was to be found in the "lossless compression" support for WebP, sometimes known as VP8L. This library can be used in other programs, such as web browsers, to add WebP support. The exploit chain based on these vulnerabilities was capable of compromising devices without any interaction from the victim and were reportedly used by the NSO Group to deliver its infamous Pegasus spyware.īoth of the vulnerabilities, CVE-2023-41064 and CVE-2023-4863 were based on a heap buffer overflow in Libwebp, the code library used to encode and decode images in the WebP format. The vulnerabilities were discovered as zero-days by CitizenLab, while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. On Septemwe published two blogs urging our readers to urgently patch two Apple issues which were added to the catalog of known exploited vulnerabilities by the Cybersecurity & Infrastructure Security Agency (CISA), and to apply an update for Chrome that included one critical security fix for an actively exploited vulnerability. We attempted to follow the timeline of events, but have made some adjustments to keep the flow of the story alive. For those that have missed the subtle clues, we have tried to construct a clear picture. Recent events have demonstrated very clearly just how persistent and wide-spread the Pegasus spyware is.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |