Full Report
The Apple Security Engineering and Architecture Research (SEAR) team made everyone aware of a vulnerability in the WebP image library that was being used actively in the wild by NSO Group discovered by Citizen Labs. Since this is in a core library, the impact ranges from iOS to Google Chrome. Within iOS 14, Apple added a BlastDoor service. This is a tight sandbox that processes untrusted data within iMessages. This exploit bypassed the sandbox by sending this within a PassKit attachment instead of a regular image. Bypass the sandbox by not using it! Fascinating. Huffman tables are used as a mapping from bit patterns to bytes that is in the image. Going from the table within the image to an internal representation is where the vulnerability is located. Simply put: the vulnerability is a heap overflow from a statically sized buffer. To hit this, is fairly complicated. Each of the 5 tables is validated individually. The first 4 tables must be full to the brim. Then, the 5th table can have too many nodes, leading to a 400 byte buffer overflow. The interesting part: the validation is done after the memory corruption occurs. So, the overflow occurs, then the node limit is validation is hit. You don't see the corruption then validation very often! It's fascinating to see this occur here. The author of this post did not try to exploit this. Exploitation would have been difficult, since the program exits with the bad table. However, NSO group found a way to exploit this it appears. The webp library did not have a fuzzer setup for it from Google. However, the author does not believe this could have been caught with the complexity of the Huffman tables. A single wrong bit would have caused an early exit. Code review and fuzzing tend to find different bugs.
Analysis Summary
# Vulnerability: Heap Buffer Overflow in WebP Image Decoding (CVE-2023-4863)
## CVE Details
- CVE ID: CVE-2023-4863
- CVSS Score: *Score not explicitly provided in the text, but classified as actively exploited in the wild.*
- CWE: Heap buffer overflow (Implied)
## Affected Systems
- Products: WebP image library (part of lossless compression support, VP8L), Google Chrome, iOS (via ImageIO processing untrusted data/PassKit attachments).
- Versions: Versions of `libwebp` prior to the patch referenced by Chromium commit `902bc9190331343b2017211debcec8d2ab87e17a`. Specific affected application versions are implied by the patching timeline (e.g., Chrome stable update released early September 2023).
- Configurations: Processing untrusted WebP image data, particularly when used within PassKit attachments in iMessage contexts (leading to BlastDoor sandbox bypass).
## Vulnerability Description
The vulnerability is a heap buffer overflow located during the decoding of WebP images utilizing lossless compression (VP8L), specifically within the process of constructing Huffman tables. The flaw occurs because the validation logic checks for excessive nodes after memory corruption takes place. The vulnerability is triggered when processing the fifth Huffman table: the first four tables must be filled completely, allowing the fifth table to contain too many nodes, resulting in a **400-byte buffer overflow**. The unusual aspect is that the size validation happens *after* the memory corruption has occurred.
## Exploitation
- Status: **Exploited in the wild** (Attributed to NSO Group's BLASTPASS attacks against iOS devices).
- Complexity: **High/Difficult** (Stated that triggering required complex manipulation of Huffman tables, and prior attempts resulted in an early program exit due to incorrect validation steps applied too soon).
- Attack Vector: **Network/Adjacent** (Can be delivered via iMessage as a malicious PassKit attachment, bypassing the BlastDoor sandbox).
## Impact
- Confidentiality: High (Exploitation linked to Pegasus spyware deployment).
- Integrity: High (Arbitrary code execution possible from heap overflow).
- Availability: Medium to High (Potential for denial of service or system compromise).
## Remediation
### Patches
- **libwebp**: Patch implemented to correctly calculate the required output table size before construction, addressing the heap overflow. (Referenced Chromium commit: `902bc9190331343b2017211debcec8d2ab87e17a`).
- **Google Chrome**: Stable update released early September 2023 addressing CVE-2023-4863.
- **Apple iOS/macOS**: Patches released around September 7 addressing related vulnerabilities (CVE-2023-41061, CVE-2023-41064), which likely included remediation for the WebP flaw processing within ImageIO.
### Workarounds
- The article does not specify official vendor workarounds, but highlights that defense relies on timely patching due to the complexity of triggering the flaw without vendor knowledge. Enhanced sandboxing for image parsers is suggested for future mitigation.
## Detection
- **Indicators of Compromise (IoCs):** Indicators are likely related to unknown artifacts left by the BLASTPASS exploit chain targeting iMessage/PassKit processing.
- **Detection Methods and Tools:** Detection would rely on identifying attempts to process malformed WebP files or monitoring process memory for heap corruption in image parsing utilities (like ImageIO or browser rendering engines). The text suggests fuzzing is less effective for this type of complex parser bug, emphasizing the need for proactive code review.
## References
- Vendor Advisory (Google): Stable Channel Update for Desktop (Mentioned September 2023 update).
- Vendor Advisory (Apple): Security Bulletin noting active exploitation for related CVEs (September 7).
- Related Writeup: Citizen Lab's analysis of the BLASTPASS attack (defanged: hxxps://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/)