LiveOverflow | My theory on how the webp 0day was discovered #short @LiveOverflow | Uploaded 1 week ago | Updated 9 hours ago
Want to learn more about hacking? Checkout our courses on hextree.io (ad)
I have spent many hours looking at the webp vulnerability used in the 0day attack against iPhones. In the past videos we have seen why fuzzers have a hard time finding the issue, so I wanted to understand how this was discovered. And I think I have a good theory!
Part 1: Huffman Tables youtu.be/lAyhKaclsPM
Part 2: Fuzzing libwebp youtu.be/PJLWlmp8CDM
Sources:
citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild
googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html
googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html
googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html
github.com/seemoo-lab/frida-scripts/blob/main/scripts/libdispatch.js
googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022
googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
github.com/libjxl/libjxl/blob/4b9dbde293f7f282b6952a02340300abfca2b184/lib/jxl/huffman_table.cc#L51
github.com/webmproject/libwebp/blob/7861947813b7ea02198f5d0b46afa5d987b797ae/src/dec/vp8l_dec.c#L86C3-L86C76
github.com/Tencent/mars/blob/9ab46e19ed3d4fcafe9d0de4b36547321f5ead83/mars/comm/windows/zlib/inftrees.h#L41
github.com/google/brunsli/blob/master/c/enc/jpeg_huffman_decode.h#L20
00:00 - Intro
01:18 - The iPhone Remote Attack Surface
02:49 - Targeting iMessage
04:04 - Dangerous Parsing / BlastDoor
06:53 - Image I/O and libwebp
08:11 - A Pattern of Image Vulnerabilities
09:28 - Huffman Tables are Everywhere!
10:50 - My Theory: known issue with enough.c
13:50 - Outro
=[ ❤️ Support ]=
→ per Video: patreon.com/join/liveoverflow
→ per Month: youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
2nd Channel: youtube.com/LiveUnderflow
=[ 🐕 Social ]=
→ Twitter: twitter.com/LiveOverflow
→ Streaming: twitch.tv/LiveOverflow
→ TikTok: tiktok.com/@liveoverflow_
→ Instagram: instagram.com/LiveOverflow
→ Blog: liveoverflow.com
→ Subreddit: reddit.com/r/LiveOverflow
→ Facebook: facebook.com/LiveOverflow
Want to learn more about hacking? Checkout our courses on hextree.io (ad)
I have spent many hours looking at the webp vulnerability used in the 0day attack against iPhones. In the past videos we have seen why fuzzers have a hard time finding the issue, so I wanted to understand how this was discovered. And I think I have a good theory!
Part 1: Huffman Tables youtu.be/lAyhKaclsPM
Part 2: Fuzzing libwebp youtu.be/PJLWlmp8CDM
Sources:
citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild
googleprojectzero.blogspot.com/2019/08/the-fully-remote-attack-surface-of.html
googleprojectzero.blogspot.com/2020/01/remote-iphone-exploitation-part-1.html
googleprojectzero.blogspot.com/2021/01/a-look-at-imessage-in-ios-14.html
github.com/seemoo-lab/frida-scripts/blob/main/scripts/libdispatch.js
googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
citizenlab.ca/2023/04/nso-groups-pegasus-spyware-returns-in-2022
googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
github.com/libjxl/libjxl/blob/4b9dbde293f7f282b6952a02340300abfca2b184/lib/jxl/huffman_table.cc#L51
github.com/webmproject/libwebp/blob/7861947813b7ea02198f5d0b46afa5d987b797ae/src/dec/vp8l_dec.c#L86C3-L86C76
github.com/Tencent/mars/blob/9ab46e19ed3d4fcafe9d0de4b36547321f5ead83/mars/comm/windows/zlib/inftrees.h#L41
github.com/google/brunsli/blob/master/c/enc/jpeg_huffman_decode.h#L20
00:00 - Intro
01:18 - The iPhone Remote Attack Surface
02:49 - Targeting iMessage
04:04 - Dangerous Parsing / BlastDoor
06:53 - Image I/O and libwebp
08:11 - A Pattern of Image Vulnerabilities
09:28 - Huffman Tables are Everywhere!
10:50 - My Theory: known issue with enough.c
13:50 - Outro
=[ ❤️ Support ]=
→ per Video: patreon.com/join/liveoverflow
→ per Month: youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
2nd Channel: youtube.com/LiveUnderflow
=[ 🐕 Social ]=
→ Twitter: twitter.com/LiveOverflow
→ Streaming: twitch.tv/LiveOverflow
→ TikTok: tiktok.com/@liveoverflow_
→ Instagram: instagram.com/LiveOverflow
→ Blog: liveoverflow.com
→ Subreddit: reddit.com/r/LiveOverflow
→ Facebook: facebook.com/LiveOverflow
