My theory on how the webp 0day was discovered (BLASTPASS)

LiveOverflow

29 Sept 202415:02

Summary

TLDRThe video script discusses a webp vulnerability that could hack iPhones via iMessage. The speaker, after a hiatus, shares their theory on how such vulnerabilities are discovered. They delve into the complexity of image file formats and the role of Apple's Image I/O and Blastdoor in parsing messages. The theory suggests that a vulnerability researcher, familiar with image parsing, might have noticed a pattern in how webp's huffman table was implemented, similar to other formats, leading to the discovery of the exploit.

Takeaways

🎥 The speaker has been busy creating content for Hextree courses, focusing on Android application security sponsored by Google.
🕵️‍♂️ The discussion revisits a previous webp vulnerability known as 'a vulnerability to hack the world' and the mystery of its discovery.
🔍 The speaker theorizes on how the webp vulnerability might have been discovered, considering it wasn't found through standard fuzzing techniques.
📱 The theory involves a vulnerability researcher or team targeting iPhones remotely, likely through iMessage due to its ubiquity on iOS devices.
🔎 The research process likely involved creating custom tooling to interact with Apple's servers and iMessage's end-to-end encryption.
🧩 The speaker suggests that image file formats, especially those supported by iMessage, are a common and complex target for vulnerabilities.
🛡️ iOS 14 introduced 'Blastdoor', a security feature that sandboxes the parsing of image files to protect against potential exploits.
🔑 The speaker hypothesizes that the webp vulnerability might have been known to researchers before iOS integrated the webp library, possibly used in other targets.
🔄 The vulnerability in webp's Huffman table implementation was likely discovered by someone deeply familiar with image parsing code, possibly due to a comment in another image format's code.
🔍 The speaker suggests that the discovery might have been made by someone who noticed a comment about the limitations of the 'enough.c' tool in calculating Huffman table sizes.
📚 The script ends with a call to action for viewers interested in learning more about hacking to check out Hextree's courses, including a new Android application security course.

Q & A

What is the main topic of the video script?
-The main topic of the video script is the exploration of a webp vulnerability that could be used to hack iPhones remotely, specifically through iMessage, and the theorized method of how this vulnerability might have been discovered.
What is Hextree, as mentioned in the script?
-Hextree is a platform that the speaker has been working on, creating over 100 short videos for courses, particularly for Android application security courses sponsored by Google.
What is the significance of the webp vulnerability discussed in the script?
-The webp vulnerability is significant because it represents a potential security flaw in iOS that could allow an attacker to remotely execute code on iPhones by sending malicious webp images through iMessage.
What is the role of Google Project Zero in the context of this script?
-Google Project Zero is mentioned as a source of articles and research that analyze and discuss the remote attack surface of the iPhone, including the iMessage system, which is relevant to the webp vulnerability.
Why is iMessage considered a good target for attackers?
-iMessage is considered a good target for attackers because it is a default messaging app on every iPhone, providing a widespread and consistent attack vector.
What is Blastdoor and how does it relate to the webp vulnerability?
-Blastdoor is a heavily sandboxed security service process in iOS that performs the parsing of incoming iMessages. It is designed to contain any potential exploits within a heavily restricted environment. The webp vulnerability could potentially be exploited within Blastdoor, but the sandbox is intended to prevent attackers from escaping it.
What is the role of 'enough.c' in the discovery of the webp vulnerability?
-The 'enough.c' tool is referenced in the context of calculating Huffman table sizes. The webp vulnerability may have been discovered due to a realization that 'enough.c' might not accurately calculate table sizes for malformed input, leading to potential exploits.
What is the significance of the Huffman table in the webp vulnerability?
-The Huffman table is significant because the webp vulnerability is related to how the Huffman table is implemented and parsed in the webp image format. The vulnerability arises from trusting the output from 'enough.c' to calculate the maximum possible table size.
What is the role of fuzzing in discovering vulnerabilities like the webp one?
-Fuzzing is an automated software testing technique that involves providing invalid, unexpected, or random data to the inputs of a program to see if it crashes or behaves unexpectedly. It was instrumental in discovering the webp vulnerability after targeted fuzzing of the Huffman table implementation.
Why are image file formats considered a good target for finding vulnerabilities?
-Image file formats are considered a good target for finding vulnerabilities because they often involve complex parsing algorithms with many potential points of failure. The complexity of these algorithms can lead to bugs that can be exploited.
What is the ultimate theory proposed by the speaker about the discovery of the webp vulnerability?
-The ultimate theory proposed by the speaker is that a vulnerability researcher, who was already familiar with image parsing and had seen similar issues in other formats, might have noticed a comment about the limitations of 'enough.c' in calculating Huffman table sizes and then applied that knowledge to webp, leading to the discovery of the vulnerability.