Android Hacking: The libwebp Vulnerability (zero-day/zero-click)

Welcome back, my aspiring cyberwarriors!

In recent days, a new and severe vulnerability has been found among the Android ecosystem that puts all Android devices, and even Apple iOS devices, at risk. It enables the attacker to send images via SMS and take control of the device with no user interaction! This vulnerability was first identified by Citizen Lab, a research lab based at the University of Toronto and famous for its tracking of the Pegasus malware. The vulnerability was first reported as CVE-2023-41064 but we have since learned that this vulnerability is ubiquitous throughout the Android ecosystem, Google chrome and many other Linux/Unix based systems. In addition, Telegram, the ToR browser, Brave, Gimp, LibreOffice and many other applications are vulnerable. This may be one of the most important vulnerabilities of our era!

The vulnerability involves a library (reusable code) developed by Google over a decade ago to process images known as libwebp. libwebp was designed to be a more efficient method of processing images than say jpeg or other image processes algorithms. As such, it is used throughout the mobile device world and many browsers.

The danger of this vulnerability is that it enables the attacker to install remote code on the device and take control with NO interaction from the user.

Let’s delve a bit deeper into libwebp and this vulnerability.

What is libwebp?

libwebp is a library used by developers to compress graphic files for easier and more efficient transfer over the Internet. Nearly all graphic files you are familiar with such a jpeg, tiff, png, etc. are all compressed file formats. Without these compression algorithms, the Internet would move much slower. We also use compression in audio and video files such as mp3 and mp4.

libwebp was developed by Google and is widely used among phones, mobile devices and browsers. It’s compression is significantly superior to other widely used compression algorithms such as jpeg (as much as 30-40% for efficient).

What is Lossless and Lossy Compression

Lossless compression is data compression in which the original data can be perfectly reconstructed from the compressed data. In other words, when a file undergoes lossless compression and is subsequently decompressed, no information is lost and the output is identical to the original input. PNG, FLAC, GIF and ZIP are lossless compression algorithms. Lossless compression is used throughout the Internet where speed and efficiency are important but where integrity is also necessary.

Lossy graphic file compression is a method of data compression where some of the file’s data is permanently discarded during the compression process. In the context of graphic files, this means that some image information is lost when the file is compressed and cannot be fully recovered upon decompression. The main objective is to significantly reduce the file size to save storage space and decrease load times, often at the cost of some degradation in image quality. Many graphic, audio and video files are compressed with lossy compression due to the fact that our eyes and ears are not so sensitive to pick up the change of a single pixel or note

How Does the Exploit Work

This exploit creates a buffer overflow in the image decoder enabling the attacker to install their own remote code and control the device. libwebp uses a Huffman tables (developed by David A. Huffman in 1952, is a popular method for lossless data compression. The central principle of Huffman coding is to use shorter binary codes for more frequent elements in the data and longer codes for less frequent elements) for compression and decompression. The compressed image files contain information about the shape of the Huffman tables and those tables are constructed by the decoder. These Huffman tables are constructed in a heap (heap is a memory area what application data is stored). A specially crafted WebP file can create a Huffman tree that overflows the heap and allows the attackers code to run

Summary

The libwebp vulnerability affects nearly every mobile device whether Android or iOS. It also affects the most commonly used browsers and many applications that enable graphics manipulations. The libwebp vulnerability may be the most important mobile device vulnerability of our times!

To learn more about this ubiquitous and sever vulnerability, attend our upcoming Android Hacking training.