Brief description of the vulnerability
Recently, Apple, Google, Mozilla, Microsoft and other companies have actively repaired buffer overflow vulnerabilities in the libwebp component. The relevant timeline is as follows:
-
On September 7, Apple released an emergency update to fix the iMessage 0-click vulnerability previously reported by the Citizen Lab of the University of Toronto. The vulnerability is believed to have been exploited by NSO’s Pegasus spyware, with the vulnerability number CVE-2023-41064;
-
On September 8, libwebp developers submitted a commit to fix the heap buffer overflow vulnerability caused by out-of-bounds writing;
-
On September 11 and 12, Google Chrome, Firefox, and Microsoft Edge browsers successively released updates, and the vulnerability number CVE-2023-4863 was issued for Chrome;
-
On September 14, the libwebp component officially released version 1.3.2 to fix the buffer overflow vulnerability.
-
On September 26, vulnerability number CVE-2023-5129 was issued for libwebp
The exploitation of this vulnerability is very complex, but because libwebp is the de facto standard for webp image format parsing and is relied upon by many upper-layer applications, in addition to affecting the client scenario, it may also affect the server, and it may also be affected by other components. In the case of encapsulation, its impact is very wide-ranging.
Basic vulnerability information
Vulnerability number | CVE-2023-5129 |
---|---|
Title | libwebp heap buffer overflow vulnerability |
Vulnerability type | Improper input validation (CWE-20) |
Rating | 10 |
Vulnerability level | Severe |
Disposal recommendations | Repair strongly recommended |
Use of required permissions | No permissions required |
Exploit conditions | The target application parses the webp file maliciously constructed by the attacker |
Scope of impact | [0.5 .0, 1.3.2) |
POC | Public |
Cause of vulnerability
When libwebp parses lossless WebP images, it will use Huffman coding to construct a Huffman coding table and decode it to obtain the original image. When allocating the memory space of the Huffman coding table, the decoder allocates the space of all first-level tables and second-level tables at the same time in advance. However, since the Huffman coding table data is read from the image, the data size is not correctly verified. When an attacker constructs an illegal Huffman table, the total memory size of the table can exceed the pre-allocated size, leading to a heap buffer overflow vulnerability.
The current POC has been made public. After generating a malicious WebP file, the vulnerability can be triggered by converting it into a png file through dwebp.
Impact Analysis
WebP is a raster graphics file format developed by Google for Web scenarios. It is smaller in size than file formats such as JPEG, PNG, and GIF. Google announced the WebP format in September 2010 and released the first stable version of its support library in April 2018.
Libwebp is a library provided by Google for encoding and decoding WebP format images as a reference implementation of the WebP specification. WebP is natively supported in Google Chrome, Safari, Firefox, Edge, Opera browsers, and many other tools and software libraries, and is used on both the client and server sides.
Client
Due to the widespread use of the WebP format, vulnerabilities may be affected in various clients that process the webp image format, such as:
-
Photoshop’s native support for webp and webmproject/WebPShop: Photoshop plug-in for opening and saving WebP images plug-in
-
Various browsers
-
Mobile system SDK: Apple’s Image I/O framework, Android’s ImageDecoder class
-
Applications using Qt framework and Electron framework
-
Other applications that support webp format
Typical ones include: WeChat, Tencent Conference, DingTalk, WPS Office, IntelliJ IDEA, Android Studio
Server
Typical software involving image and video processing on the server side, such as FFmpeg, Affinity, and Gimp, are also affected.
ImageMagick can add support for the webp format by adding the –with-webp=yes compilation parameter, but the developer stated that it is currently unable to determine the accessibility of the attack path.
The libwebp component is provided in most Linux distributions. Security bulletins and patches have been released so far, including:
Ubuntu | https://launchpad.net/ubuntu/ + source/libwebp/1.2.4-0.3 Debian | https://www.debian.org/security/2023/dsa-5497-2 Redhat | https://access.redhat.com/errata/RHSA-2023:5309 Alpine | https://security.alpinelinux.org/vuln/CVE-2023-4863 Gentoo | https://security.gentoo.org/glsa/202309-05 SUSE | https://www.suse.com/security/cve/CVE-2023-4863.html Oracle | https://linux.oracle.com/cve/CVE-2023-4863.html Fedora|https://bodhi.fedoraproject.org/updates/FEDORA-2023-c4fa8a204d Anolis dragon lizard | https://anas.openanolis.cn/cves/detail/CVE-2023-4863
C/C++ open source project that directly includes libwebp
Murphy Security Lab analyzed popular open source projects in GitHub and found that many project source codes directly include libwebp, including at least:
Code warehouse address | Number of stars |
---|---|
https://github .com/electron/electron | 109k |
https://github.com/nginx/nginx (not enabled by default) | 19.1k |
https://github.com/tanersener/mobile-ffmpeg | 3.7k |
https://github.com/WaterfoxCo/Waterfox | 3.1k |
https://github.com/mozilla/gecko-dev | 2.9k |
https://github.com/ytsaurus/ytsaurus | 1.6k |
https://github.com/libgd/libgd | 835 |
https://github.com/zjupure/ GlideWebpDecoder | 695 |
https://github.com/classilla/tenfourfox | 248 |
https://github.com/rmottola/Arctic-Fox | 238 |
https://github.com/papyrussolution /OpenPapyrus | 218 |
Typical Sumatra PDF projects
Components containing libwebp in other languages
By analyzing the components in the maven central warehouse, we found that the following component product packages directly include the dynamic link library of libwebp:
org.demen.android.opencv:opencv-img org.lucee:sejda-webp com.criteo:jvips io.github.darkxanter:webp-imageio org.sejda.webp-imageio:webp-imageio-sejda de.sg-o.lib:opencv com.facebook.spectrum:spectrum-webp de.marcreichelt:webp-backport org.demen.android.opencv:opencv_world cn.rongcloud.sdk:fu_beautifier io.github.greycode:ocrlite org.jetbrains.skiko:skiko-awt-runtime-linux-arm64 org.robolectric:nativeruntime-dist-compat app.cash.paparazzi:layoutlib-native-linux com.freeletics.fork.paparazzi:layoutlib-native-linux org.jetbrains.skiko:skiko-jvm-runtime-linux-arm64 com.github.zjupure:webpdecoder com.github.gotson:webp-imageio com.eworkcloud:ework-cloud-starter-image io.github.zumikua:webploader-desktop org.sejda.imageio:webp-imageio science.aist:aistcv com.computinglaboratory:opencv org.openpnp:opencv org.jetbrains.skiko:skiko-jvm-runtime-linux-x64 com.facebook.fresco:webpsupport com.eworkcloud:starter.ework-cloud-starter-image io.github.humbleui:skija-linux-x64 io.tiledb:tiledb-cloud-java app.cash.paparazzi:native-linux org.demen.android.opencv:opencv com.github.usefulness:webp-imageio org.jetbrains.skiko:skiko-awt-runtime-linux-x64 com.aiyaapp.aiya:AyEffectSDK io.github.humbleui:skija-linux com.github.nintha:webp-imageio-core
Encapsulation also exists in other languages, such as Go language
github.com/kolesa-team/go-webp github.com/tidbyt/go-libwebp github.com/nickalie/go-webpbin
cwebp
in NPM and webp
in the PyPI repository both provide encapsulated calls to the libwebp binary.
Troubleshooting suggestions
It is expected that in the coming period, more upper-layer applications will release patches to fix the libwebp vulnerability. From the perspective of vulnerability investigation, you need to pay attention to the following introduction scenarios:
-
For externally provided clients/binaries, you can use SCA to check whether they contain vulnerable libwebp components. The exported functions
WebPCopyPlane
andWebPCopyPixels
introduced in version 0.5.0 can be used as a check Feature keywords, theVP8LHuffmanTablesAllocate
function introduced in version 1.3.2 can be used as part of the troubleshooting feature keywords for security versions. -
The server may be running an upper-layer client application, such as a headless browser, which can be checked through the process.
-
The code may introduce libwebp through static or dynamic linking. It may be self-compiled or introduced by package managers such as yum/apt. High-level languages may encapsulate calls to dynamic link libraries, so it is necessary to check whether they exist in system packages, processes, and product files. libwebp.
For scenarios where libwebp is used, it is recommended to upgrade to version 1.3.2 and upgrade the system package.
Reference link
-
https://blog.isosceles.com/the-webp-0day/
-
https://github.com/ImageMagick/ImageMagick/discussions/6650
-
https://github.com/mistymntncop/CVE-2023-4863
Murphy Security Enterprise Edition 0day vulnerability and poisoning information
Murphy Security’s enterprise-level zero-day vulnerability and poisoning intelligence is based on the core characteristics of completeness, accuracy, speed, and precision. It provides customers with faster updates, more detailed analysis, and accurate and guaranteed information for the entire network. It also pushes a large number of exclusive information. Customers can use this intelligence for emergency response, software component analysis product testing and other scenarios. This product has served dozens of corporate customers such as Ant and Meituan. Currently, companies can apply for trial through the following methods:
1. Scan the QR code on WeChat to apply:
2. Visit the application link:
https://murphysec.feishu.cn/share/base/form/shrcnUf2LcR1HuMkKab7yathocf
[About Murphy Security]
Murphy Security is a technology innovation company focusing on software supply chain security products. The core members of the team are all from Baidu, Huawei, and Shell, and have more than ten years of experience in enterprise security construction and attack and defense. Currently, it has served dozens of enterprise-level customers such as Ant, Xiaomi, Kuaishou, Meituan, Bank of China, China Mobile, and China Telecom.
[About Murphy Security Lab]
Murphy Security Lab is a security research team under Murphy Future Technology. It focuses on technical research in areas related to software supply chain security. Its focus includes: open source software security, program analysis, threat intelligence analysis, enterprise security governance, etc.