so.cl

Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer


Exploiting aCropalypse: Recovering Truncated PNGs

This article assumes you’ve already heard about the aCropalypse vulnerability, aka CVE-2023-21036. The bug lies in closed-source Google-proprietary code so it’s a bit hard to inspect, but after some patch-diffing I concluded that the root cause was due to this horrible bit of API ‘design’: https://issuetracker.google.com/issues/180526528.

Google was passing ‘w’ to a call to parseMode(), when they should’ve been passing ‘wt’ (the t stands for truncation). This is an easy mistake, since similar APIs (like POSIX fopen) will truncate by default when you simply pass ‘w’. Not only that, but previous Android releases had parseMode("w") truncate by default too! This change wasn’t even documented until some time after the aforementioned bug report was made.

The end result is that the image file is opened without the O_TRUNC flag, so that when the cropped image is written, the original image is not truncated. If the new image file is smaller, the end of the original is left behind.

IMHO, the takeaway here is that API footguns should be treated as security vulnerabilities. Exploiting aCropalypse: Recovering Truncated PNGs