Watch out! A new vulnerability in WhatsApp for Android allows attackers to perform remote commands on devices

Security researcher Awakened has identified a vulnerability in the Android version of WhatsApp messaging app which could allow attackers to launch remote code execution attacks (with privilege elevation) on victims.

Exploiting the flaw, however, is a rather complicated affair: involves a malicious actor sending a forged GIF file to a victim in a message on WhatsApp (or any other channel) .
After a victim has downloaded the GIF file onto his device, the second attack’s step happens when he opens the WhatsApp Gallery in order to send a media file to another user from WhatsApp.

Now, since WhatsApp shows previews of every media (including the file received), the malicious GIF will trigger the RCE exploit.

Here a brief video of the attack technique:

0:16 Attacker sends GIF file to user via any channels
– One of them could be as Document via WhatsApp (i.e. pressing the Paper Clip button and choose Document to send the corrupted GIF)
– If the attacker is in the contact list of the user (i.e. a friend), the corrupted GIF is downloaded automatically without any user interaction.

0:24 User wants to send a media file to any of his/her WhatsApp friend. So the user presses on the Paper clip button and opens the WhatsApp Gallery to choose a media file to send to his friend.
– Take note that the user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug. No additional touch after pressing WhatsApp Gallery is necessary.

0:30 Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit.

The vulnerability

This double-free bug (CVE-2019-11932) relies on the call of the same memory location twice: if this operation involve the crash of the app may be exploited for malicious purposes.

In this case, when a user opens the gallery from WhatsApp in order to view or send a media file, WhatsApp parses it with a native open-source library called to generate the preview of the GIF file:

A GIF file contains multiple encoded frames.
To store the decoded frames, a buffer with name rasterBits is used. If all frames have the same size, rasterBits is re-used to store the decoded frames without re-allocation.
However, rasterBits would be re-allocated if one of three conditions below is met:
– width * height > originalWidth * originalHeight
– width – originalWidth > 0
– height – originalHeight > 0

Re-allocation is a combination of free and malloc which can trigger an event that allows an attacker to exploit the vulnerability.

Once exploited the vulnerability an attacker may perform both a privilege escalation and remote code execution: so a crafted GIF file may execute malicious commands on the device.

For more technical details, please refers to Awakened’s analysis.

Is there a fix?

According to Awakened’s research:

I informed this to Facebook. Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. Facebook helped to reserve CVE-2019-11932 for this issue.

WhatsApp users, please do update to latest WhatsApp version (2.19.244 or above) to stay safe from this bug.


Related posts

  1. Hacking Android Smart TVs using the IR remote control
  2. Some thoughts about the Signal Messaging Protocol
  3. My Weekly RoundUp #131
  4. Load Value Injection (CVE-2020-0551): a new Side-Channel attack affects Intel’s CPUs
  5. My Weekly RoundUp #130