CVE-2023-5129 libwebp heap buffer overflow vulnerability impact analysis

Brief description of the vulnerability

Recently, Apple, Google, Mozilla, Microsoft and other companies have actively repaired buffer overflow vulnerabilities in the libwebp component. The relevant timeline is as follows:

  1. On September 7, Apple released an emergency update to fix the iMessage 0-click vulnerability previously reported by the Citizen Lab of the University of Toronto. The vulnerability is believed to have been exploited by NSO’s Pegasus spyware, with the vulnerability number CVE-2023-41064;

  2. On September 8, libwebp developers submitted a commit to fix the heap buffer overflow vulnerability caused by out-of-bounds writing;

  3. On September 11 and 12, Google Chrome, Firefox, and Microsoft Edge browsers successively released updates, and the vulnerability number CVE-2023-4863 was issued for Chrome;

  4. On September 14, the libwebp component officially released version 1.3.2 to fix the buffer overflow vulnerability.

  5. On September 26, vulnerability number CVE-2023-5129 was issued for libwebp

The exploitation of this vulnerability is very complex, but because libwebp is the de facto standard for webp image format parsing and is relied upon by many upper-layer applications, in addition to affecting the client scenario, it may also affect the server, and it may also be affected by other components. In the case of encapsulation, its impact is very wide-ranging.

Basic vulnerability information

Vulnerability number CVE-2023-5129
Title libwebp heap buffer overflow vulnerability
Vulnerability type Improper input validation (CWE-20)
Rating 10
Vulnerability level Severe
Disposal recommendations Repair strongly recommended
Use of required permissions No permissions required
Exploit conditions The target application parses the webp file maliciously constructed by the attacker
Scope of impact [0.5 .0, 1.3.2)
POC Public

Cause of vulnerability

When libwebp parses lossless WebP images, it will use Huffman coding to construct a Huffman coding table and decode it to obtain the original image. When allocating the memory space of the Huffman coding table, the decoder allocates the space of all first-level tables and second-level tables at the same time in advance. However, since the Huffman coding table data is read from the image, the data size is not correctly verified. When an attacker constructs an illegal Huffman table, the total memory size of the table can exceed the pre-allocated size, leading to a heap buffer overflow vulnerability.

The current POC has been made public. After generating a malicious WebP file, the vulnerability can be triggered by converting it into a png file through dwebp.

Picture

Impact Analysis

WebP is a raster graphics file format developed by Google for Web scenarios. It is smaller in size than file formats such as JPEG, PNG, and GIF. Google announced the WebP format in September 2010 and released the first stable version of its support library in April 2018.

Libwebp is a library provided by Google for encoding and decoding WebP format images as a reference implementation of the WebP specification. WebP is natively supported in Google Chrome, Safari, Firefox, Edge, Opera browsers, and many other tools and software libraries, and is used on both the client and server sides.

Client

Due to the widespread use of the WebP format, vulnerabilities may be affected in various clients that process the webp image format, such as:

  • Photoshop’s native support for webp and webmproject/WebPShop: Photoshop plug-in for opening and saving WebP images plug-in

  • Various browsers

  • Mobile system SDK: Apple’s Image I/O framework, Android’s ImageDecoder class

  • Applications using Qt framework and Electron framework

  • Other applications that support webp format

Typical ones include: WeChat, Tencent Conference, DingTalk, WPS Office, IntelliJ IDEA, Android Studio

Server

Typical software involving image and video processing on the server side, such as FFmpeg, Affinity, and Gimp, are also affected.

ImageMagick can add support for the webp format by adding the –with-webp=yes compilation parameter, but the developer stated that it is currently unable to determine the accessibility of the attack path.

Picture

The libwebp component is provided in most Linux distributions. Security bulletins and patches have been released so far, including:

Ubuntu | https://launchpad.net/ubuntu/ + source/libwebp/1.2.4-0.3
Debian | https://www.debian.org/security/2023/dsa-5497-2
Redhat | https://access.redhat.com/errata/RHSA-2023:5309
Alpine | https://security.alpinelinux.org/vuln/CVE-2023-4863
Gentoo | https://security.gentoo.org/glsa/202309-05
SUSE | https://www.suse.com/security/cve/CVE-2023-4863.html
Oracle | https://linux.oracle.com/cve/CVE-2023-4863.html
Fedora|https://bodhi.fedoraproject.org/updates/FEDORA-2023-c4fa8a204d
Anolis dragon lizard | https://anas.openanolis.cn/cves/detail/CVE-2023-4863

C/C++ open source project that directly includes libwebp

Murphy Security Lab analyzed popular open source projects in GitHub and found that many project source codes directly include libwebp, including at least:

Code warehouse address Number of stars
https://github .com/electron/electron 109k
https://github.com/nginx/nginx (not enabled by default) 19.1k
https://github.com/tanersener/mobile-ffmpeg 3.7k
https://github.com/WaterfoxCo/Waterfox 3.1k
https://github.com/mozilla/gecko-dev 2.9k
https://github.com/ytsaurus/ytsaurus 1.6k
https://github.com/libgd/libgd 835
https://github.com/zjupure/ GlideWebpDecoder 695
https://github.com/classilla/tenfourfox 248
https://github.com/rmottola/Arctic-Fox 238
https://github.com/papyrussolution /OpenPapyrus 218

Typical Sumatra PDF projects

Picture

Components containing libwebp in other languages

By analyzing the components in the maven central warehouse, we found that the following component product packages directly include the dynamic link library of libwebp:

org.demen.android.opencv:opencv-img
org.lucee:sejda-webp
com.criteo:jvips
io.github.darkxanter:webp-imageio
org.sejda.webp-imageio:webp-imageio-sejda
de.sg-o.lib:opencv
com.facebook.spectrum:spectrum-webp
de.marcreichelt:webp-backport
org.demen.android.opencv:opencv_world
cn.rongcloud.sdk:fu_beautifier
io.github.greycode:ocrlite
org.jetbrains.skiko:skiko-awt-runtime-linux-arm64
org.robolectric:nativeruntime-dist-compat
app.cash.paparazzi:layoutlib-native-linux
com.freeletics.fork.paparazzi:layoutlib-native-linux
org.jetbrains.skiko:skiko-jvm-runtime-linux-arm64
com.github.zjupure:webpdecoder
com.github.gotson:webp-imageio
com.eworkcloud:ework-cloud-starter-image
io.github.zumikua:webploader-desktop
org.sejda.imageio:webp-imageio
science.aist:aistcv
com.computinglaboratory:opencv
org.openpnp:opencv
org.jetbrains.skiko:skiko-jvm-runtime-linux-x64
com.facebook.fresco:webpsupport
com.eworkcloud:starter.ework-cloud-starter-image
io.github.humbleui:skija-linux-x64
io.tiledb:tiledb-cloud-java
app.cash.paparazzi:native-linux
org.demen.android.opencv:opencv
com.github.usefulness:webp-imageio
org.jetbrains.skiko:skiko-awt-runtime-linux-x64
com.aiyaapp.aiya:AyEffectSDK
io.github.humbleui:skija-linux
com.github.nintha:webp-imageio-core

Encapsulation also exists in other languages, such as Go language

github.com/kolesa-team/go-webp
github.com/tidbyt/go-libwebp
github.com/nickalie/go-webpbin

cwebp in NPM and webp in the PyPI repository both provide encapsulated calls to the libwebp binary.

Troubleshooting suggestions

It is expected that in the coming period, more upper-layer applications will release patches to fix the libwebp vulnerability. From the perspective of vulnerability investigation, you need to pay attention to the following introduction scenarios:

  • For externally provided clients/binaries, you can use SCA to check whether they contain vulnerable libwebp components. The exported functions WebPCopyPlane and WebPCopyPixels introduced in version 0.5.0 can be used as a check Feature keywords, the VP8LHuffmanTablesAllocate function introduced in version 1.3.2 can be used as part of the troubleshooting feature keywords for security versions.

  • The server may be running an upper-layer client application, such as a headless browser, which can be checked through the process.

  • The code may introduce libwebp through static or dynamic linking. It may be self-compiled or introduced by package managers such as yum/apt. High-level languages may encapsulate calls to dynamic link libraries, so it is necessary to check whether they exist in system packages, processes, and product files. libwebp.

For scenarios where libwebp is used, it is recommended to upgrade to version 1.3.2 and upgrade the system package.

Reference link

  • https://blog.isosceles.com/the-webp-0day/

  • https://github.com/ImageMagick/ImageMagick/discussions/6650

  • https://github.com/mistymntncop/CVE-2023-4863

Murphy Security Enterprise Edition 0day vulnerability and poisoning information

Murphy Security’s enterprise-level zero-day vulnerability and poisoning intelligence is based on the core characteristics of completeness, accuracy, speed, and precision. It provides customers with faster updates, more detailed analysis, and accurate and guaranteed information for the entire network. It also pushes a large number of exclusive information. Customers can use this intelligence for emergency response, software component analysis product testing and other scenarios. This product has served dozens of corporate customers such as Ant and Meituan. Currently, companies can apply for trial through the following methods:

1. Scan the QR code on WeChat to apply:

Picture

2. Visit the application link:

https://murphysec.feishu.cn/share/base/form/shrcnUf2LcR1HuMkKab7yathocf

[About Murphy Security]

Murphy Security is a technology innovation company focusing on software supply chain security products. The core members of the team are all from Baidu, Huawei, and Shell, and have more than ten years of experience in enterprise security construction and attack and defense. Currently, it has served dozens of enterprise-level customers such as Ant, Xiaomi, Kuaishou, Meituan, Bank of China, China Mobile, and China Telecom.

[About Murphy Security Lab]

Murphy Security Lab is a security research team under Murphy Future Technology. It focuses on technical research in areas related to software supply chain security. Its focus includes: open source software security, program analysis, threat intelligence analysis, enterprise security governance, etc.