The PoC exploit code for a Chrome zero-day vulnerability tracked as CVE-2023-4863 which allows remote attackers to execute code has been published.
The vulnerability can be exploited if the target user visits a specially crafted Web site, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Researcher Ben Hawkes released an analysis of the CVE-2023-4863 vulnerability and researcher mistymntncop released a PoC. The heart of this vulnerability resides in Huffman coding, an algorithm that WebP uses to achieve lossless image compression. In an ideal world, this process would be flawless. However, the vulnerability emerged from an overflow in the Huffman table when decoding an image.
Upon the discovery, a patch titled ‘Fix OOB write in BuildHuffmanTable’ was promptly initiated. The newer version introduced a ‘safety check’ which ensured that the Huffman table would not overflow. It first gauged the size required and then allocated space accordingly. This seemed like a sure-shot remedy, but as any seasoned tech aficionado knows, the devils in the details.
When a WebP image undergoes lossless compression, the pixels are analyzed for frequency. The compressed image must carry statistical data about these frequencies. Internally, WebP utilizes a table for this task. Ironically, even these tables are compressed using Huffman coding. One could say it’s a ‘Huffmanception.’
The real challenge emerges when trying to overflow the ‘huffman_tables’ allocation in the WebP code. This requires a meticulous understanding and tweaking of the Huffman table segments. The aim was to maneuver the table’s data in such a way that it overflows the buffer.
An attempt was made to brute-force a solution. The goal was to find a combination that would cause the Huffman table to overflow. After multiple efforts, it seemed like a dead-end, almost like trying to fit a square peg into a round hole.
The solution emerged when the idea was to build four valid Huffman trees that occupied maximum space and then use an invalid Huffman tree for the final slot. This could make the function write out-of-bounds, leading to the coveted overflow. Many such inputs could cause the overflow, and the control over the overflow seemed exploitable. The final invalid input that caused this was an unbalanced tree, a structure a valid tree would not generally produce.
In hindsight, the patch works in an interesting manner. Contrary to initial thoughts, it wasn’t increasing the buffer size to accommodate overflow. Instead, it simply rejected the inputs that would cause an overflow. It’s much like putting a “No Entry” sign on a weak bridge rather than reinforcing the bridge. Although it’s hard to completely ascertain, it seems like the patch should suffice, at least for now.
Chrome users are advised to upgrade their web browser to version 116.0.5845.187 (Mac and Linux) and 116.0.5845.187/.188 (Windows) as soon as possible, as it patches the CVE-2023-4863 vulnerability on Windows, Mac, and Linux systems.