Full Report
Parser bugs can be real bad, given the wide spread use of them. The article has a few awards: most impactful, parser differential, hardest to fix and weirdest machine. For most impactful, it was the webp bug. The huffman compression was absolutely everywhere. The runner up was a H.264 file format set of bugs. For hardest to fix, it was binarly post. Since they deal with low level firmware, it's non-trivial to fix. It was a memory safety issue in image parsing (of course). Personally, I found the BatBadBut cooler as a parsing command injection bug. Bash and C tokenize arguments for invoked programs the same way. However, Windows bat batch do something entirely different, which most languages, including Rust and Java, didn't account for. In Windows, backslashes are NOT an escape for quotes - the carat is. So, the normal escaping didn't work. The winner for best parser diff was a Gitlab parsing issue related to YAML processing in Ruby vs Golang. The runner up was a request smuggling vulnerability in NodeJS and several other servers via differences in the interpretation of carriage return within optional whitespace. The winner for weirdest machine was the NSO groups exploitation of a parser bug to create their own architecture in a PDF parser, as researched by P0. Probably the craziest blog post I've ever read. I appreciate the author grouping these all together! I hadn't read all of these so it was good for me to get.
Analysis Summary
The provided article highlights several critical parser-related vulnerabilities. Below is a summary of the most impactful finding identified by the author.
# Vulnerability: Heap Buffer Overflow in WebP (Lossless Compression)
## CVE Details
- **CVE ID:** CVE-2023-4863
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products:** Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Tor Browser, and a vast array of Linux distributions and software libraries using `libwebp`.
- **Versions:** Versions prior to:
- Google Chrome: 116.0.5845.187 (Mac/Linux), 116.0.5845.187/.188 (Windows)
- libwebp: 1.3.2
- **Configurations:** Systems processing untrusted WebP images, particularly those utilizing lossless compression with Huffman coding.
## Vulnerability Description
The flaw exists within the Huffman coding table allocation logic of the `libwebp` library. When parsing a maliciously crafted WebP lossless image, the parser fails to properly validate the input, leading to an out-of-bounds memory write. Specifically, if an image defines an excessively large Huffman table, the library allocates insufficient memory on the heap, allowing an attacker to overwrite adjacent memory areas with controlled data.
## Exploitation
- **Status:** **Exploited in the wild** as a 0-day.
- **Complexity:** Medium (Requires crafting a specific Huffman table structure).
- **Attack Vector:** Network (Remote via browser or application processing an image).
## Impact
- **Confidentiality:** High (Potential for memory disclosure or code execution).
- **Integrity:** High (Memory corruption can lead to arbitrary code execution).
- **Availability:** High (Can lead to application crashes or system instability).
## Remediation
### Patches
- **libwebp:** Update to version 1.3.2 or later.
- **Web Browsers:** Update to the latest available versions (Chrome 116.0.5845.187+, Firefox 117.0.1+, etc.).
- **OS Distributions:** Apply security updates for `libwebp`, `imagemagick`, and related packages provided by upstream vendors (Debian, Ubuntu, RedHat, etc.).
### Workarounds
- Disable WebP image rendering in browser configurations if updates cannot be applied immediately (not recommended for long-term use).
- Use content security policies or firewalls to block the download of `.webp` files from untrusted sources.
## Detection
- **Indicators of Compromise:** Unusual crashes in browser processes (`renderer` process) when visiting specific websites or viewing image previews.
- **Tools:** Use vulnerability scanners (e.g., Nessus, Qualys, or Snyk) to identify outdated versions of `libwebp` within the environment.
## References
- **Vendor Advisory:** hxxps://chromereleases[.]googleblog[.]com/2023/09/stable-channel-update-for-desktop_11.html
- **Technical Analysis:** hxxps://blog[.]isosceles[.]com/the-webp-0day/
- **NVD Detail:** hxxps://nvd[.]nist[.]gov/vuln/detail/CVE-2023-4863
- **LangSec Discussion:** hxxps://www[.]openwall[.]com/lists/oss-security/2023/09/21/4
***
# Additional parser bug highlights from the article:
| Name | Identifiers | Context |
| :--- | :--- | :--- |
| **BatBadBut** | CVE-2024-24576 | Command injection in Rust/Windows due to improper `.bat`/`.cmd` escaping logic. |
| **LogoFAIL** | Various | Memory safety issues in low-level firmware UEFI image parsers during boot. |
| **GitLab YAML Diff** | N/A | Logic flaw where Ruby and Go parsers interpret devfile YAML differently, leading to bypasses. |
| **NSO "FORCEDENTRY"** | CVE-2021-30860 | Weird Machine: Exploiting CoreGraphics PDF parser to build a logic-gate architecture within memory. |
| **OpenSSL Loop** | CVE-2022-0778 | Non-terminating parsing in `BN_mod_sqrt()` causing infinite loops (DoS). |