Introduction:

• The WebP zero-day vulnerability, identified as CVE-2023-4863, was discovered by Apple's Security Engineering and Architecture (SEAR) team and was reported to Google. The vulnerability was a heap buffer overflow in the WebP image library, which was being exploited in the wild.

Technical Analysis:

• The vulnerability resided in the "lossless compression" support for WebP, also known as VP8L. The issue was within the Huffman coding algorithm used by WebP for lossless compression.
• The vulnerable code was found to overflow the Huffman table when decoding an untrusted image due to incorrect memory allocations based on pre-calculated buffer sizes from a fixed table.
• The patch fixed the issue by performing a "first pass" construction to calculate the total size required for the Huffman table before actual construction, thereby preventing the overflow.

Exploit Analysis:

• A proof-of-concept (PoC) was developed to replicate the bug, demonstrating a heap-buffer-overflow. The PoC utilized crafted Huffman coding data to trigger the overflow.
• The exploitation required constructing a sequence of four valid Huffman tables followed by a specific type of invalid Huffman table to trigger the overflow.
• The overflow could lead to out-of-bounds write, which was deemed exploitable.

Mitigation:

• The patch provided by Google addressed the issue by denying the inputs that would cause a heap overflow, effectively mitigating the vulnerability.

Fuzzing Challenges:

• Post mitigation, a discussion arose regarding the effectiveness of fuzzing in discovering such vulnerabilities. The complexity and fragility of the format made it a challenging task for fuzzers to identify this specific vulnerability.
• A new fuzzer was released by Google specifically for the Huffman routines in WebP to enhance the fuzzing process.

Conclusion:

• The WebP 0day (CVE-2023-4863) showcased the intricacies and challenges in identifying and mitigating vulnerabilities in complex file format libraries. The analysis also highlighted the importance of effective fuzzing techniques to uncover such vulnerabilities in the future.