A Vulnerability to Hack The World - CVE-2023-4863

Citizenlab discovered BLASTPASS, a 0day being actively exploited in the image format WebP. Known as CVE-2023-4863 and CVE-2023-41064, an issue in webp's build huffman table function can lead to a heap buffer overflow. This vulnerability is very interesting and I'm excited to share with you what I learned.

Want to learn hacking? Signup to https://hextree.io (ad)
Buy my shitty font: https://shop.liveoverflow.com/ (ad)

WebP Fix Commit: https://chromium.googlesource.com/webm/libwebp/+/902bc9190331343b2017211debcec8d2ab87e17a
Citizenlab: https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
Ben Hawkes: https://blog.isosceles.com/the-webp-0day/

Software Updates
Apple https://support.apple.com/en-gb/106361
Chrome https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
Firefox https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
Android …

0day actively exploited blastpass buffer buffer overflow build citizenlab cve cve-2023-41064 cve-2023-4863 exploited function hack heap buffer overflow image issue overflow share software software updates thanks updates vulnerability webp world