WingNews logo WingNews GitHub [2]
top | item 35249971

Windows Snipping Tool is vulnerable to Acropalypse too

315 points| tambourine_man | 3 years ago |twitter.com

140 comments

order
[+] whoopdedo|3 years ago|reply
This reminds me of the early binary DOC file format that was essentially a dump of Word's working memory. You could find all sorts of leaked data in the slack space between text chunks. Sometimes from other processes since `malloc` doesn't zero memory. I think there were a few instances of people being caught doing bad things because of identifying information in a Word DOC.

But why is this even happening? The standard procedure to overwrite a file is to save to a temporary file first so an error that occurs during the write won't damage the existing file. Are they really doing an in-place write and how does that affect the shadow copy if you wanted to restore the previous version of the file?

[+] int_19h|3 years ago|reply
The old .doc format was never "a dump of Word's working memory", implying copy of raw bytes. It's rather Word's internal object graph serialized into COM Structured Storage (https://en.wikipedia.org/wiki/COM_Structured_Storage), which is basically a FAT-like filesystem inside a single file. This is convenient for the app because it gets an FS-like API and can serialize data into as many "files" as is convenient, and dynamically update data inside without overwriting the entire container file every time (which, back when this all was designed in late 80s - early 90s, would be slow).

Thus the reason why you could end up with old bits of a Word document sticking around inside the .doc is the same as to why your FS has bits of deleted files: the space has been marked as free, and nothing else overwrote it yet.

But none of this applies to images, so the explanation here ought to be different.

[+] Retr0id|3 years ago|reply
It feels like a lot of "things everyone knows" are slowly getting lost over time, as developers work at higher and higher levels of abstraction without deep knowledge of the layers beneath them (which is of course the whole point of abstractions, but they're never perfect)

Being a true "full stack" engineer is a superpower when it comes to performance optimisation, or vulnerability research.

[+] iggldiggl|3 years ago|reply
> The standard procedure to overwrite a file is to save to a temporary file first

… which on the other hand has the annoying side effect of wrecking hard links.

[+] thrashh|3 years ago|reply
It sounds like someone wrote fopen(name, “r+”) instead of fopen(name, “w”)

I don’t think writing to a separate file is standard procedure at all. Way more apps don’t do that than do from my anecdotal memories.

[+] david2ndaccount|3 years ago|reply
rename is not atomic on win32. That’s a posix-ism.
[+] fwlr|3 years ago|reply
So, Acropalypse is “people use image snipping and markup tools to redact images, but those tools often allow the unredacted images to be recovered”? Yeah, that’s a pretty big violation of the implicit expectations of users.
[+] Retr0id|3 years ago|reply
To be more specific "acropalypse" refers to any image editor which does not truncate the original file before overwriting it with the edited version, leading to portions of the original being recoverable by an adversary.

It originally referred to a specific vulnerability in the Markup app found on Google Pixel devices (CVE-2023-21036), but apparently now includes other unrelated apps.

Source: It was me who came up with the name :)

[+] Retr0id|3 years ago|reply
If you don't want to just take my word for it, there's some 3rd party confirmation and further analysis in this thread https://twitter.com/wdormann/status/1638235267919233024

I'll have a windows-compatible PoC up at some point, might wait a little bit just to mitigate the 0day-ness heh

[+] nashashmi|3 years ago|reply
Not able to reproduce this. I’m not sure if anything remains after the iend. But the file size does become smaller. I have windows 10.

Edit: tried this with snip and sketch. Also tried it with snipping tool. Fwiw, the latter results in a smaller file size.

[+] kdrag0n|3 years ago|reply
Aside from looking at the file size, you can check any PNG image with pngcheck [1]:

     pngcheck good.png
    OK: good.png (467x389, 32-bit RGB+alpha, non-interlaced, 88.2%).
Compared to a vulnerable image:

     pngcheck bad.png
    bad.png  additional data after IEND chunk
    ERROR: bad.png
macOS Preview, Quick Look, and CleanShot X are safe.

[1] https://www.libpng.org/pub/png/apps/pngcheck.html, available in Homebrew

[+] world2vec|3 years ago|reply
This is beyond scary. I have no idea how my screenshots I took and cropped with Snipping Tool and send to someone: at work, at home, across multiple machines and accounts.
[+] easrng|3 years ago|reply
Keep in mind this only applies if you took the screenshot, saved, cropped it, and then saved again to the same file.
[+] basch|3 years ago|reply
My stubbornness to relearn and move away from “printscreen+winkey+r+mspaint+enter+select+Ctenophora+c” pays off. I don’t know what it is about snipping tools (and I use sharex too” but I always find myself going back to paint, as the tools feel like they get in the way.
[+] gsich|3 years ago|reply
Snip & Sketch, not the oldstyle Snipping Tool.
[+] pdntspa|3 years ago|reply
Unbelievable, I can't understand how people haven't noticed that. "Wow I crop an image and it doesnt get smaller WTF???"

Man if I ran Windows 11 to think I might be the one who stumbled on this 0-day first....

[+] malka|3 years ago|reply
Most of the time theses images don't end up in the file system. They are going to the clipboard and then copied to a chat or imgur
[+] rs999gti|3 years ago|reply
> Unbelievable, I can't understand how people haven't noticed that. "Wow I crop an image and it doesnt get smaller WTF???"

Most people are not super techie computer users.

[+] escapecharacter|3 years ago|reply
Compression ratios vary between different tools, I wouldn’t expect an image file size to scale at all smoothly with its resolution
[+] ben0x539|3 years ago|reply
(As a non web-dev, maybe, )I don't think I've cared about the file size of cropped images in the past couple years. When I crop stuff it's because I want to send it to someone, not because I'm gonna archive it or anything.
[+] kuroguro|3 years ago|reply
For android it was a backwards incompatible, undocumented API change [0]. For windows it just looks like the UWP API is complicated enough that you can footgun yourself. For ex OpenAsync+DataWriter would do it as the default behavior [1].

[0] https://issuetracker.google.com/issues/180526528

[1] https://stackoverflow.com/questions/35842374/how-can-i-overw...

[+] xign|3 years ago|reply
I would believe it… UWP APIs can be really complicated and over-designed sometimes.
[+] windows2020|3 years ago|reply
This does not apply to the original Snipping Tool (the one that's 'moving...').

New iterations of classic Snipping Tool require more clicks and the implementation is worse too.

[+] marak830|3 years ago|reply
That summerises almost every update on windows 11 doesn't it?

Their image tool that we were using for video snippet is a lot worse. Hell right click context menu requires more work.

Don't get me started on minimum window sizes for some default apps.

[+] lazerl0rd|3 years ago|reply
Snipping Tool used to have this "feature" whereby any drawing performed on a screenshot would be animated as an overlay (this was only visible in the UWP Photos app at the time). Funnily enough, that's the first thing that came to mind when I heard of Acropalypse.
[+] alex7734|3 years ago|reply
You need to take a screenshot, save it, crop it and then resave over the same file.

I mean it's bad, but... who does that?

EDIT: It also happens if you take a completely different screenshot and just save over (overwrite) another (bigger) image. That's worse, but still not that common IMHO.

[+] 323|3 years ago|reply
> who does that?

Programmers do it all day ... with text files.

Would you say the same thing if when you deleted some code it would actually still be there at the end of the file, after two pages of spaces?

When you delete something and save it in a "final" format (like a PNG), you expect nothing which was deleted to be there.

[+] pavon|3 years ago|reply
It is extremely common for me to realize I don't like the screenshot I took, and to save the replacement over the original file. It is pretty common for me to be more selective about what is in the replacement, and hence for it to be smaller than the original triggering this bug.
[+] Retr0id|3 years ago|reply
It's a relatively uncommon scenario, granted, but when you multiply those odds by the number of screenshots that get shared on a daily basis, it's pretty bad imho.
[+] olliej|3 years ago|reply
I would say that's the common case?

1. Take screenshot

2. Open screenshot

3. Edit screenshot

4. Save screenshot

I don't think that "Save As..." the common case.

[+] HALtheWise|3 years ago|reply
This would have been avoided if the PNG format (or at least one commonly used editor) required that the data filled the whole file, or rendered extra junk when there was extra data at the end.
[+] layer8|3 years ago|reply
Or, like PDF, require the file to be interpreted starting from the end.
[+] TrianguloY|3 years ago|reply
My workflow is to press the PrintScreen -> snip&sketch opens -> draw a rectangle (two corners) -> paste where necessary.

Or alternatively press the notification -> draw something -> control+c -> close then paste.

I rarely save as file, no need, but I guess I've sometimes do it so I need to be careful.

[+] Hansenq|3 years ago|reply
Is Mac's Preview app susceptible to this bug too? Right now it seems only confirmed for Pixel phones and Windows Snipping Tool, but I use Preview and I haven't seen anyone confirm or deny it for that one.
[+] Retr0id|3 years ago|reply
I've heard multiple people say Preview (and the macos screenshot tools) are safe.
[+] recursive|3 years ago|reply
What's this about? I just tried the repro (Snip, save, crop, save). Nothing obvious was amiss. The file looks ok. What's the vulnerability here?
[+] legrande|3 years ago|reply
Got sent a few .PSDs (Photoshop format) and there was some artifacts which looked like they weren't intended for the recipient. Of course, this is part of the .PSD format and not a privacy issue per se. Just be careful sending .PSDs in an e-mail with stuff in them you don't want the recipient to see.
[+] SAI_Peregrinus|3 years ago|reply
Photoshop has a checkbox to "delete cropped pixels", if unchecked using the crop tool again will show the entire original image. It also stores an undo history, so even with "delete cropped pixels" you can just undo the crop.
[+] ffhhj|3 years ago|reply
Wait until they find that censored parts of an image can be restored by AI.
[+] rldjbpin|3 years ago|reply
another plus for sticking with windows 10. although not as intuitive, the old snipping tool, the screenshot only captures that area you selected.

i will let someone test the same technique on those cases but empirically i've had screenshots as little as a couple KB this way.

[+] gjsman-1000|3 years ago|reply
Like he says on Twitter - was this deliberate? Doesn't seem like it yet, and there's no proof of it, but it's pretty scary. There's excellent plausible deniability, and the law enforcement benefits could be substantial.
[+] Syonyk|3 years ago|reply
I was just about to ask, "Is this still coincidence, or have we jumped straight to enemy action?"

That two different tools fail in the same, "surface level invisible" but mighty convenient, and "Whoopsie, file operations are hard!" way... raises some interesting questions.

Mostly, "What else of this nature is present in all our modern operating systems?" Because this sort of failure sure looks an awful lot like the "Underhanded C" contest from 2008: http://www.underhanded-c.org/_page_id_17.html Redact an image, while leaking a lot of information in the process to someone who "knows the trick."

> This is an excellent example of the contest’s philosophy: make the code extremely simple, innocent, obvious, and wrong.