PoC released for Chrome zero-day CVE-2023-4863 vulnerability

The technical detail and proof-of-concept (PoC) exploit code has been published for a Chrome zero-day vulnerability tracked as CVE-2023-4863 which allows remote attackers to execute code.

The security received a high-severity score of 8.8. It can be exploited if the target user visits a specially crafted Web site, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

Researcher Ben Hawkes released a technical analysis of the CVE-2023-4863 vulnerability and researcher mistymntncop released a proof-of-concept (PoC) exploit on Thursday.

The recent discovery surrounding the WebP image format is a classic illustration. For the unfamiliar, a vulnerability was found in the “lossless compression” support for WebP, known as VP8L. Let’s unwrap the mystery behind CVE-2023-4863.

The heart of this vulnerability resides in Huffman coding, an algorithm that WebP uses to achieve lossless image compression. In an ideal world, this process would be flawless. However, the vulnerability emerged from an overflow in the Huffman table when decoding an image.

To understand the bug’s depth, imagine a scenario where the Huffman table is akin to a bucket meant to hold a certain amount of water. If we pour water without checking, it can overflow and create problems.

Upon the discovery, a patch titled ‘Fix OOB write in BuildHuffmanTable’ was promptly initiated. It looked promising on the surface. The newer version introduced a ‘safety check’ which ensured that the Huffman table would not overflow. It first gauged the size required and then allocated space accordingly. This seemed like a sure-shot remedy, but as any seasoned tech aficionado knows, the devil’s in the details.

When a WebP image undergoes lossless compression, the pixels are analyzed for frequency. The compressed image has to carry statistical data about these frequencies. Internally, WebP utilizes a table (the “huffman_table”) for this task. Ironically, even these tables are compressed using Huffman coding. One could say it’s a ‘Huffmanception.’

The real challenge emerges when trying to overflow the ‘huffman_tables’ allocation in the WebP code. This requires a meticulous understanding and tweaking of the Huffman table segments. The aim was to maneuver the table’s data in such a way that it overflows the buffer.

An attempt was made to brute-force a solution. The goal was to find a combination that would cause the Huffman table to overflow. After multiple efforts, it seemed like a dead-end, almost like trying to fit a square peg into a round hole.

However, every challenge breeds innovation. The solution emerged when the idea was to build four valid Huffman trees that occupied maximum space and then use an invalid Huffman tree for the final slot. This could make the function write out-of-bounds, leading to the coveted overflow.

The discovery was quite the revelation. Many such inputs could cause the overflow, and the control over the overflow seemed exploitable. The final invalid input that caused this was an unbalanced tree, a structure a valid tree would not generally produce.

In hindsight, the patch works in an interesting manner. Contrary to initial thoughts, it wasn’t increasing the buffer size to accommodate overflow. Instead, it simply rejected the inputs that would cause an overflow. It’s much like putting a “No Entry” sign on a weak bridge rather than reinforcing the bridge. Although it’s hard to completely ascertain, it seems like the patch should suffice, at least for now.

Chrome users are advised to upgrade their web browser to version 116.0.5845.187 (Mac and Linux) and 116.0.5845.187/.188 (Windows) as soon as possible, as it patches the CVE-2023-4863 vulnerability on Windows, Mac, and Linux systems.