Citizenlab discovered BLASTPASS, a 0day being actively exploited in the image format WebP. Known as CVE-2023-4863 and CVE-2023-41064, an issue in webp's build huffman table function can lead to a heap buffer overflow. This vulnerability is very interesting and I'm excited to share with you what I learned.
Want to learn hacking? Signup to hextree.io (ad)
Buy my shitty font: shop.liveoverflow.com/ (ad)
WebP Fix Commit: chromium.googlesource.com/web...
Citizenlab: citizenlab.ca/2023/09/blastpa...
Ben Hawkes: blog.isosceles.com/the-webp-0...
Software Updates
Apple support.apple.com/en-gb/106361
Chrome chromereleases.googleblog.com...
Firefox www.mozilla.org/en-US/securit...
Android www.mozilla.org/en-US/securit...
Whose CVE is it Anyway? adamcaudill.com/2023/09/14/wh...
References:
2014 bug introduction github.com/webmproject/libweb...
• How Computers Compress...
• Huffman Codes: An Info...
• How PNG Works: Comprom...
• Huffman coding step-by...
stackoverflow.com/questions/1...
web.archive.org/web/202302042...
enough.c github.com/madler/zlib/blob/d...
Thanks to:
/ mistymntncop
/ benhawkes
Chapters:
00:00 - Intro to CVE-2023-4863
01:32 - Most Valuable Vulnerability?
03:02 - Heap Overflow Related to Huffman Trees
03:58 - Learning about Huffman Codes
06:24 - What are Huffman Tables?
10:24 - Hardcoded Table Sizes (enough.c)
12:21 - Code Walkthrough - BuildHuffmanTable()
13:04 - The code_lengths[] and count[] Arrays
15:14 - Difference Between Compression and Decompression!
17:04 - Outro
=[ ❤️ Support ]=
→ per Video: / liveoverflow
→ per Month: / @liveoverflow
2nd Channel: / liveunderflow
=[ 🐕 Social ]=
→ Twitter: / liveoverflow
→ Streaming: twitch.tvLiveOverflow/
→ TikTok: / liveoverflow_
→ Instagram: / liveoverflow
→ Blog: liveoverflow.com/
→ Subreddit: / liveoverflow
→ Facebook: / liveoverflow
Негізгі бет A Vulnerability to Hack The World - CVE-2023-4863
Пікірлер: 220