Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Apple Security Engineering and Architecture Research (SEAR) team made everyone aware of a vulnerability in the WebP image library that was being used actively in the wild by NSO Group discovered by Citizen Labs. Since this is in a core library, the impact ranges from iOS to Google Chrome.

Within iOS 14, Apple added a BlastDoor service. This is a tight sandbox that processes untrusted data within iMessages. This exploit bypassed the sandbox by sending this within a PassKit attachment instead of a regular image. Bypass the sandbox by not using it! Fascinating.

Huffman tables are used as a mapping from bit patterns to bytes that is in the image. Going from the table within the image to an internal representation is where the vulnerability is located.

Simply put: the vulnerability is a heap overflow from a statically sized buffer. To hit this, is fairly complicated. Each of the 5 tables is validated individually. The first 4 tables must be full to the brim. Then, the 5th table can have too many nodes, leading to a 400 byte buffer overflow.

The interesting part: the validation is done after the memory corruption occurs. So, the overflow occurs, then the node limit is validation is hit. You don't see the corruption then validation very often! It's fascinating to see this occur here.

The author of this post did not try to exploit this. Exploitation would have been difficult, since the program exits with the bad table. However, NSO group found a way to exploit this it appears.

The webp library did not have a fuzzer setup for it from Google. However, the author does not believe this could have been caught with the complexity of the Huffman tables. A single wrong bit would have caused an early exit. Code review and fuzzing tend to find different bugs.