Author Topic: Yet Another Avatar Exploit  (Read 5353 times)

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 844
  • E-points: +44/-12
  • \(_o)/
    • View Profile
Yet Another Avatar Exploit
« on: April 10, 2012, 01:23:23 am »
It appears people figured out that FA's avatar uploader trusts the image to say how big it is, allowing anyone with a hex editor to edit a value and upload a .gif of any size.

So things like this and this are happening.

Fiz

  • nice
  • Cabalistic Fuckhead
  • *
  • Posts: 94
  • E-points: +13/-1
  • no stop
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #1 on: April 10, 2012, 01:46:07 am »
My bad, kind of.

Friend showed me this guy's page and said he thinks FA's avatar uploader is fucked up.

I showed it to some people, who uploaded the icon themselves, and well doesn't look like its a bug.

Eventually the exploit was figured out, then I became a dogExplaim that atheists.

Then uh, welp.
pee

Ketsuban

  • *
  • Posts: 60
  • E-points: +7/-1
  • Initiated Rube
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #2 on: April 10, 2012, 04:56:11 am »
It appears people figured out that FA's avatar uploader trusts the image to say how big it is, allowing anyone with a hex editor to edit a value and upload a .gif of any size.

Technical detail: The GIF header contains a filetype signature ("GIF87a" or "GIF89" in ASCII depending on whether there's an alpha channel or not, IIRC) followed by two 16-bit little-endian values which are the height and width of the image. These don't have to match the size of the image in the data portion; FA trusts the size reported in the header and doesn't actually resize the image when uploaded or when displaying it, so you can happily upload any GIF image less than 50KB in size so long as you edit the header so it claims to be a 100x100 image.

I'm going to continue believing I was the first one to discover this because damnit, I want to be first at something in my life.

an Hoopoe

  • Postcount killed Trogdor
  • *****
  • Posts: 792
  • E-points: +37/-56
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #3 on: April 10, 2012, 07:58:19 am »


So then comes the bans.



Some people who used the exploit were banned; some people were not.

kernel.panic

  • Posts: 14
  • E-points: +0/-0
  • Uninitiated Rube
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #4 on: April 10, 2012, 10:00:50 am »
I think what they're trying to tell us here, is that if we're going to get banned for this, we should make sure it's worth it.

I mean that's the logic here, right?

Who's got some un-flattering photos of sciggles or dragoneer to .gif?

Jim Demintia

  • Posts like Kage drinks
  • ****
  • Posts: 628
  • E-points: +24/-6
  • Deflator Mouse
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #5 on: April 10, 2012, 11:05:53 am »
Image format loaders are notorious sources of security-type bugs. And I'm sure they're running that site with some hilarious ancient version of PHP-GD that is full of these kinds of things, of which this is probably the most benign.

First person to run arbitrary code gets a prize!

(It's a ban)
Can it be this sad design
Could be the very same
A wooly man without a face
And a beast without a name

applesauce

  • Posts: 3
  • E-points: +0/-0
  • Uninitiated Rube
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #6 on: April 10, 2012, 12:56:47 pm »
This isn't something new. They have been having people exploit this since Eli showed them how in 2008.

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 844
  • E-points: +44/-12
  • \(_o)/
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #7 on: April 10, 2012, 03:01:37 pm »
This isn't something new. They have been having people exploit this since Eli showed them how in 2008.

If you could post some proof you'll pretty much pull the rug out from under the FA admins saying they were never told this existed.

ColonThree

  • **
  • Posts: 172
  • E-points: +18/-3
  • Not a cat
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #8 on: April 10, 2012, 04:12:34 pm »
This isn't something new. They have been having people exploit this since Eli showed them how in 2008.

I vaguely remember that. A huge white square with "HAXX" in the middle I believe.
~Witty quote~

applesauce

  • Posts: 3
  • E-points: +0/-0
  • Uninitiated Rube
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #9 on: April 10, 2012, 07:09:16 pm »
I vaguely remember that. A huge white square with "HAXX" in the middle I believe.
That was it.

loki

  • **
  • Posts: 125
  • E-points: +2/-2
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #10 on: April 11, 2012, 05:05:36 pm »
Does this apply to the thumbnail uploader too then?

ColonThree

  • **
  • Posts: 172
  • E-points: +18/-3
  • Not a cat
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #11 on: April 12, 2012, 03:54:12 am »
Does this apply to the thumbnail uploader too then?

It might've done previously, but I can't get it work under the current system.
~Witty quote~

Ben

  • *
  • Posts: 47
  • E-points: +6/-9
  • smelly vaginahead extraordinare
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #12 on: April 12, 2012, 02:38:55 pm »
Does this apply to the thumbnail uploader too then?

It might've done previously, but I can't get it work under the current system.

Well, that's not entirely true. Custom thumbnails still work for every other upload type that's not visual art. So yeah.

Jim Demintia

  • Posts like Kage drinks
  • ****
  • Posts: 628
  • E-points: +24/-6
  • Deflator Mouse
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #13 on: April 12, 2012, 03:30:56 pm »
So if this isn't a new thing, is the "news" here that Sciggles didn't know about it and proceeded to throw a shitfit?
Can it be this sad design
Could be the very same
A wooly man without a face
And a beast without a name

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 844
  • E-points: +44/-12
  • \(_o)/
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #14 on: April 12, 2012, 06:17:17 pm »
It seems they've fixed the problem, but not before breaking uploading to the site.

I don't even know how it's possible to ALWAYS break something else every time you touch your code.

ColonThree

  • **
  • Posts: 172
  • E-points: +18/-3
  • Not a cat
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #15 on: April 13, 2012, 08:09:48 am »
Custom thumbnails still work for every other upload type that's not visual art. So yeah.

Which is what I tried it with. Which didn't work.
~Witty quote~

Jim Demintia

  • Posts like Kage drinks
  • ****
  • Posts: 628
  • E-points: +24/-6
  • Deflator Mouse
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #16 on: April 13, 2012, 12:38:29 pm »
It seems they've fixed the problem, but not before breaking uploading to the site.

I don't even know how it's possible to ALWAYS break something else every time you touch your code.

It's simple. Make the change, don't bother to check if it works. This is something they would totally do.
Can it be this sad design
Could be the very same
A wooly man without a face
And a beast without a name

Conan

  • Postcount killed Trogdor
  • *****
  • Posts: 844
  • E-points: +44/-12
  • \(_o)/
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #17 on: April 25, 2012, 01:46:15 am »


HMMMMMMMMmmmmmmmmmmmmmm.

ColonThree

  • **
  • Posts: 172
  • E-points: +18/-3
  • Not a cat
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #18 on: April 25, 2012, 06:04:00 am »


HMMMMMMMMmmmmmmmmmmmmmm.

Interestingly, that avatar doesn't use the exploit. After some fucking around, it seems to be something to do with the compression used in animated gifs, in particular only writing information that has changed since the previous frame. In Bizz-ness' avatar, only the tail is moving, which takes up less than 100x100 pixels (barely). I would assume that the "fix" involves finding the last instance of 0x21,0xF9 in the file, and checking the size of the frame following that, which ends up being the compressed frame.

For example:



This one will also upload fine. While the entire thing changes for the first 4 frames, only the corner changes in the final frame. Since those changes occupy a space smaller than 100x100, it passes. checking the first frame instead should fix that, since the first frame is always the same size as the entire gif (presumably).
~Witty quote~

Fiz

  • nice
  • Cabalistic Fuckhead
  • *
  • Posts: 94
  • E-points: +13/-1
  • no stop
    • View Profile
Re: Yet Another Avatar Exploit
« Reply #19 on: May 28, 2012, 06:06:47 pm »
As of today, the large avatar exploit hasn't been fully patched. No surprise there!

http://gyazo.com/ebb44ee977ebb7870cc95ed5fb2e7d65

I believe this user is using the exploit that ColonThree posted above me.
pee