Yet Another Avatar Exploit

[Conan]

It appears people figured out that FA's avatar uploader trusts the image to say how big it is, allowing anyone with a hex editor to edit a value and upload a .gif of any size.

So things like this and this are happening.

[Fiz]

My bad, kind of.

Friend showed me this guy's page and said he thinks FA's avatar uploader is fucked up.

I showed it to some people, who uploaded the icon themselves, and well doesn't look like its a bug.

Eventually the exploit was figured out, then I became a dog.  Explaim that atheists.

Then uh, welp.

[Ketsuban]

It appears people figured out that FA's avatar uploader trusts the image to say how big it is, allowing anyone with a hex editor to edit a value and upload a .gif of any size.

Technical detail: The GIF header contains a filetype signature ("GIF87a" or "GIF89" in ASCII depending on whether there's an alpha channel or not, IIRC) followed by two 16-bit little-endian values which are the height and width of the image. These don't have to match the size of the image in the data portion; FA trusts the size reported in the header and doesn't actually resize the image when uploaded or when displaying it, so you can happily upload any GIF image less than 50KB in size so long as you edit the header so it claims to be a 100x100 image.

I'm going to continue believing I was the first one to discover this because damnit, I want to be first at something in my life.

[a pigeon]

So then comes the bans.



Some people who used the exploit were banned; some people were not.

[kernel.panic]

I think what they're trying to tell us here, is that if we're going to get banned for this, we should make sure it's worth it.

I mean that's the logic here, right?

Who's got some un-flattering photos of sciggles or dragoneer to .gif?

[Jim Demintia]

Image format loaders are notorious sources of security-type bugs. And I'm sure they're running that site with some hilarious ancient version of PHP-GD that is full of these kinds of things, of which this is probably the most benign.

First person to run arbitrary code gets a prize!

(It's a ban)

[applesauce]

This isn't something new. They have been having people exploit this since Eli showed them how in 2008.

[Conan]

This isn't something new. They have been having people exploit this since Eli showed them how in 2008.

If you could post some proof you'll pretty much pull the rug out from under the FA admins saying they were never told this existed.

[ColonThree]

This isn't something new. They have been having people exploit this since Eli showed them how in 2008.

I vaguely remember that. A huge white square with "HAXX" in the middle I believe.

[applesauce]

I vaguely remember that. A huge white square with "HAXX" in the middle I believe.

That was it.

[loki]

Does this apply to the thumbnail uploader too then?

[ColonThree]

Does this apply to the thumbnail uploader too then?

It might've done previously, but I can't get it work under the current system.

[Ben]

Does this apply to the thumbnail uploader too then?

It might've done previously, but I can't get it work under the current system.

Well, that's not entirely true. Custom thumbnails still work for every other upload type that's not visual art. So yeah.

[Jim Demintia]

So if this isn't a new thing, is the "news" here that Sciggles didn't know about it and proceeded to throw a shitfit?

[Conan]

It seems they've fixed the problem, but not before breaking uploading to the site.

I don't even know how it's possible to ALWAYS break something else every time you touch your code.

[ColonThree]

Custom thumbnails still work for every other upload type that's not visual art. So yeah.

Which is what I tried it with. Which didn't work.

[Jim Demintia]

It seems they've fixed the problem, but not before breaking uploading to the site.

I don't even know how it's possible to ALWAYS break something else every time you touch your code.

It's simple. Make the change, don't bother to check if it works. This is something they would totally do.

[Conan]

HMMMMMMMMmmmmmmmmmmmmmm.

[ColonThree]

HMMMMMMMMmmmmmmmmmmmmmm.

Interestingly, that avatar doesn't use the exploit. After some fucking around, it seems to be something to do with the compression used in animated gifs, in particular only writing information that has changed since the previous frame. In Bizz-ness' avatar, only the tail is moving, which takes up less than 100x100 pixels (barely). I would assume that the "fix" involves finding the last instance of 0x21,0xF9 in the file, and checking the size of the frame following that, which ends up being the compressed frame.

For example:



This one will also upload fine. While the entire thing changes for the first 4 frames, only the corner changes in the final frame. Since those changes occupy a space smaller than 100x100, it passes. checking the first frame instead should fix that, since the first frame is always the same size as the entire gif (presumably).

[Fiz]

As of today, the large avatar exploit hasn't been fully patched. No surprise there!

http://gyazo.com/ebb44ee977ebb7870cc95ed5fb2e7d65

I believe this user is using the exploit that ColonThree posted above me.