Author Topic: aCropalypse CVE-2023-21036  (Read 886 times)

0 Members and 1 Guest are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
aCropalypse CVE-2023-21036
« on: March 22, 2023, 05:32:56 pm »
Maybe you've already heard about the Pixel’s built-in cropping tool having an issue with simply truncating images, i.e. you can recover the original image from the cropped one:
- Google Pixel exploit reverses edited parts of screenshots (https://www.theverge.com/2023/3/19/23647120/google-pixel-acropalypse-exploit-cropped-screenshots)
- Exploiting aCropalypse: Recovering Truncated PNGs (https://www.da.vidbuchanan.co.uk/blog/exploiting-acropalypse.html)

Would you think that another team at another company would do the same mistake? Think again! ;D
- Oops, Windows’ screenshot tool may be saving stuff you cropped out, too (https://www.theverge.com/2023/3/21/23650657/windows-snipping-tool-crop-screenshots-vulnerability)
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: aCropalypse CVE-2023-21036
« Reply #1 on: March 22, 2023, 06:09:20 pm »
Exploit itself is fine, but I'm more annoyed by the lack of care for the file size. Imagine you are working on a crop tool and it produces the same file size as an uncropped version, and that does not bother you at all. "We've got plenty of storage who cares about file size".
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: aCropalypse CVE-2023-21036
« Reply #2 on: March 22, 2023, 08:24:43 pm »
Fascinating. It is definitely not "fine", it's a significant security flaw. Users may have removed parts of an image that are confidential/would pose all kinds of risks if seen, and they are entitled to think that cropping would never allow recovering the original image.

From a developer's POV, both the ability of recovering the original image and the resulting size would normally be immediate concerns.
Sure for the first one, actually, exploit or not, it may even have been thought of as a "feature".

And who cares about the end result (security, file size), both were probably not mentioned in the "user stories" that were the basis for developing this tool.
 :palm:
 

Online Nominal Animal

  • Super Contributor
  • ***
  • Posts: 6134
  • Country: fi
    • My home page and email address
Re: aCropalypse CVE-2023-21036
« Reply #3 on: March 22, 2023, 08:39:15 pm »
It does not surprise me anymore that "coders" consistently manage to fuck up file handling, especially error handling and proper close/truncate sequences.

It's the inevitable result of the "I'll add error checking later on when I have more time" and "If we get an I/O error, the system is so b0rked anyway that the user must already be aware of it, so we can ignore all errors here" principles most "coders" go by.
 

Offline ataradov

  • Super Contributor
  • ***
  • Posts: 11219
  • Country: us
    • Personal site
Re: aCropalypse CVE-2023-21036
« Reply #4 on: March 22, 2023, 08:58:42 pm »
To be fair, the way file truncation traditionally works on the OS level is messed up. if I open the file for write, the default should be to truncate the size. There would be no errors returned if you just forgot O_TRUNC flag, so the only way to know that something is wrong is the file size.
« Last Edit: March 22, 2023, 09:00:23 pm by ataradov »
My RSS reader is blocked by the forum, so I won't be actively reading it. If you need to reach me, use email.
 

Offline spostma

  • Regular Contributor
  • *
  • Posts: 117
  • Country: nl
Re: aCropalypse CVE-2023-21036
« Reply #5 on: March 22, 2023, 09:05:42 pm »
 
The following users thanked this post: SiliconWizard

Offline rdl

  • Super Contributor
  • ***
  • Posts: 3665
  • Country: us
Re: aCropalypse CVE-2023-21036
« Reply #6 on: March 23, 2023, 06:32:06 am »

Since it's Google (and Microsoft) it wouldn't surprise me if it was done on purpose.


Fascinating. It is definitely not "fine", it's a significant security flaw. Users may have removed parts of an image that are confidential/would pose all kinds of risks if seen, and they are entitled to think that cropping would never allow recovering the original image.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: aCropalypse CVE-2023-21036
« Reply #7 on: March 23, 2023, 08:38:38 pm »

Since it's Google (and Microsoft) it wouldn't surprise me if it was done on purpose.


Fascinating. It is definitely not "fine", it's a significant security flaw. Users may have removed parts of an image that are confidential/would pose all kinds of risks if seen, and they are entitled to think that cropping would never allow recovering the original image.

Which is why I added "Sure for the first one, actually, exploit or not, it may even have been thought of as a "feature"."
But that is just speculation. ::)
 

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
Re: aCropalypse CVE-2023-21036
« Reply #8 on: March 26, 2023, 12:13:16 pm »
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf