Introduction
On the 7th of September, Citizenlab made a significant announcement regarding the discovery of a new iOS zero-day vulnerability that was actively being exploited in the wild. This vulnerability was found to be present in a PassKit (CVE-2023-42916 and CVE-2023-42917) attachment, which is a type of ticket that can be added to an iPhone wallet. The victim would receive an iMessage, and when iOS parsed the passkit attachment, their phone would be hacked. Citizenlab immediately reported their findings to Apple, and a press release was issued on the same day, followed by an iOS update that addressed the vulnerability.
The Scope of the Vulnerability
The vulnerability discovered by Citizenlab affected both iOS and Chromium, making it a critical issue in two widely used code bases. This meant that the vulnerability had the potential to impact a significant portion of the global user base. However, the impact was not limited to just iOS and Chromium. It was later revealed that the vulnerability also affected Firefox and any software that supported the webp image format. Many software applications, including web servers, use the official webp library, which was where the vulnerability was found. Therefore, it was clear that this was a highly valuable vulnerability given its broad reach and potential for exploitation.
The Significance of the Vulnerability
The discovery of this zero-day vulnerability was particularly significant for several reasons. Firstly, the vulnerability had been present in the source code since 2014, making it an issue that had gone unnoticed for a significant period of time. This raised questions about the effectiveness of code review and security practices within the development community.
Additionally, despite being such a critical vulnerability with widespread implications, no full example exploits had been observed at the time of discovery. Only proof-of-concept .webp files triggering the overflow had been identified. This raised further questions about why such a valuable vulnerability had not been fully exploited, and whether there were other factors at play that limited its exploitation potential.
Given the significance of this vulnerability, it is important to understand its underlying cause and the implications it holds for security practices and vulnerability management in the future.
The Cause of the Overflow
To understand the cause of the overflow, it is essential to have some knowledge of computer science algorithms and data structures, particularly Huffman coding. Huffman coding is a lossless compression algorithm used to reduce the size of data by assigning shorter codes to more frequently occurring symbols.
In the case of the webp image format, Huffman coding is used for lossless compression. The vulnerability lies in the lossless compression support for webp, specifically in the construction of Huffman tables. Huffman tables are used to store the Huffman codes for each symbol in the image, and these tables are directly constructed from the code lengths of the symbols.
Understanding Huffman Coding and Tables
Huffman coding involves performing a frequency analysis of symbols, such as characters in text or pixel values in an image. The frequency of each symbol is used to create an ordered list, and a tree structure is built based on this list. The tree structure represents the Huffman codes for each symbol, with shorter codes assigned to more frequently occurring symbols.
While Huffman coding is conceptually based on a tree data structure, modern implementations use tables instead. These tables allow for more efficient and direct lookups of Huffman codes during compression and decompression. The tables are constructed based on the code lengths of the symbols, with each entry in the table representing a possible code of a specific length.
During compression, the Huffman codes are determined based on the frequency analysis and are used to generate the code lengths. These code lengths are then used to construct the Huffman tables, which are included in the output file. During decompression, the code lengths are read from the file and used to reconstruct the Huffman tables for decoding the compressed data.
The Vulnerability Exploitation
In the case of the discovered vulnerability, the issue arose when constructing the Huffman tables during decompression. The code lengths were read from the .webp file and used to construct the tables in memory. However, it was possible to craft an invalid table by providing code lengths that would result in an illogical tree structure. This could lead to the tables becoming larger than expected and potentially overflowing the allocated memory.
The vulnerability was exacerbated by the fact that the table sizes were precalculated and hardcoded based on the expected code lengths during compression. This meant that the allocated memory for the tables might not be sufficient to handle the potentially larger tables created from invalid code lengths during decompression.
Implications and Future Considerations
The discovery of this iOS zero-day vulnerability highlights the importance of thorough code review and testing, especially when dealing with critical components such as compression algorithms and data structures. It also raises questions about the effectiveness of vulnerability management practices in detecting and addressing such issues in a timely manner.
Going forward, it is crucial for developers and security professionals to remain vigilant and proactive in identifying and addressing vulnerabilities. Regular code audits, security testing, and prompt patching are essential to mitigate the risks associated with zero-day vulnerabilities.
Additionally, this vulnerability serves as a reminder of the importance of a strong foundation in computer science fundamentals. Understanding algorithms and data structures is crucial for identifying and addressing potential vulnerabilities and ensuring the security of software systems.
Conclusion
The discovery of the iOS zero-day vulnerability in the webp image format highlights the critical nature of thorough code review, security testing, and vulnerability management practices. This vulnerability, which affected iOS, Chromium, Firefox, and other software supporting webp, exposed the potential risks associated with improper handling of Huffman tables during decompression.
Moving forward, it is essential for developers and security professionals to remain diligent in their efforts to identify and address vulnerabilities before they can be exploited. This requires a strong foundation in computer science fundamentals and a commitment to maintaining secure coding practices.