Posted by smartypants | in technology

EXPLOIT WARNING

Extremely suspicious activities today from catbox.moe after being down last night 12 hours, and requiring new account credentials today after California servers seized or invaded.

Catbox.moe is now suddenly sending illegal jpg malformed byte streams! (via WebP tricks not honoring HTTP protocols)

I never once in history got a possible zer0-day fake jpg masquerading as a webP UNTIL HOURS AGO!!!!!!

CATBOX SUDDENLY BEING USED TO SEND MALFORMED JPGS!!! New July 21 2021 zero day revealed!

https://vulners.com/zdi/ZDI-21-893

WebP has again and again every year, including last summer, been used to exploit Windows 10 computers remotely. Last Summer again!!!!

And two defects on All macs and iOS including one in May and a 0-day revealed today July 21 2021, AFTER catbox.moe 12 hour mystery outtage and then mysteriously started sending malformed webP.

JPG and PNG have had almost no remote exploits since 2012, unlike the deep state spooks exploiting WebP.

I have no doubt WebP has more unrevealed CIA zer0-days in it.

August 2020 : Microsoft Windows WebP Image Extention RCE (August 2020) : https://www.tenable.com/plugins/nessus/140596

If you had your browser set to broadcast lack of support for WebP shit, you were safe all through 2020.

July 21 2021? Yep more exploitable defects for macintosh too :

https://vulners.com/zdi/ZDI-21-893

That revelation from anonymous on July 22 2021 , half a day ago, is UNPATCHED ON ALL MACS using latest safari !!!!

And its already been leveraged by CIA/FBI/MOSSAD all last month.

In May 2021 another defect on Macs : "ZDI-21-598" discovered suing fuzzing tools that repair internal checksums after fuzz.

https://en.wikipedia.org/wiki/Fuzzing

And its only known on this site here, and wherever I deem worthy to warn cyber-punks like vulners.com

Servers swapping byte streams from jpg to mystery files is dangerous... it is how .exe files, .pdf zero days, and similar payloads can get delivered into target machines.

The CIA/FBI has no doubt COUNTLESS remote exploit zero-day ways to hack citizens using the mammoth over-engineered JPEG XR file container : https://en.wikipedia.org/wiki/JPEG_XR but to get a target suspect to open and decode a JPEG XR requires them to be tricked into accepting a WebP (https://en.wikipedia.org/wiki/WebP)

In my Firefox I have set all thee spots to force unacceptance of Webp shit files :

In my Firefox I have set all thee spots to force unacceptance of Webp shit files :

about:config, remove "image/webp," from image.http.accept

in about:config remove "image/webp," from network.http.accept.default.

third step (most drastic) :

also in about:config set "FALSE" image.webp.enabled

"silent image swap to WebP" was a foolish feature of saving bytes on Reddit.com, but webp and its DRM nonsense and user tracking salted internal data, needs to be banned.

Normally in 2021 , image.webp.enabled is set True for kikery, and normally in 2021 image.http.accept and network.http.accept.default allow this abomination.

Catbox seemingly honored that until very recently, today, also coinciding with zer0 day today revelation for all newest Apple devices.

4

Comments

You must log in or register to comment.

Wahaha said ()

I don't even have image.http.accept and network.http.accept.default in my about:config for FF90.

4

smartypants OP said () (edited )

no time to go through all solutions, but this plugin from 12 months ago should do the trick at a perfect brute force way, but I dont know if a bad actor can use browser fingerprint to shove it in anyway.

https://addons.mozilla.org/en-US/firefox/addon/dont-accept-webp/

This extension monitors and edits request headers using the onBeforeSendHeaders API

TRY THAT PLUGIN.

If it works, vile web sites like youtube should show blank white squares for video previews.

many http web development tools including free ones, can do ANYTHING with any data sent or received from firefox and have persistent scripts. "ModHeader" is one fun one.

2

Wahaha said () (edited )

I'm already using that one for a long time, since webp generally sucks. But it only works if there's a choice between webp and jpg, if there is no choice, I'll get to see webp.

2

TallestSkil said ()

HAHAHAHAHAHHAHAHHAHAHAHA imagine trusting webp, a bullshit “standard” created by Google.

4

smartypants OP said () (edited )

Its worse, and you are right, as always, because on ConPro hours ago a NEW Feb 2022 WebP zero day unpatched on 60% of all Apple users showed up :

https://consumeproduct.win/p/142BTB1ZSP/fuck-around-and-find-out-shitbul/c/

So the new owners of scored.co (formerly .win) are now exhibiting their funding links more and their glowie tendencies on ConPro links march 21 2022.

This is all so tiring.

https://www.kaspersky.com/blog/webkit-vulnerability-cve-2022-22620/43650/

2