A researcher has released details of a WhatsApp remote code execution (RCE) flaw it is claimed could be used to compromise not only the app but the mobile device the app is running on.
Reported to Facebook some weeks ago by a researcher called ‘Awakened’, the critical issue (CVE-2019-11932) affects users of the Android versions of the app, specifically versions 8.1 and 9.0 although not, apparently, version 8.0 (Apple’s iOS doesn’t appear to be affected).
It’s described as a double-free memory vulnerability in a WhatsApp image preview library called libpl_droidsonroids_gif.so, and some aspects of how it might execute remain unclear.
The researcher says an attack would involve first sending a malicious GIF image using any channel, that is by email, a rival messaging app, or sent direct through WhatsApp itself.
If WhatsApp is being used, and the attacker (or hapless intermediary) is on the contacts list of the user as a friend, apparently this GIF would download to the device automatically.
Execution would happen when the recipient subsequently opens the WhatsApp Gallery even if no file is selected or sent. Writes Awakened:
Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit.
To back this up, Awakened has released a video showing the sequence of events running on WhatsApp v2.19.203.
This shows the exploit giving an attacker full reverse shell with root and complete access to all the files on that device, its SD Card, and what appears to be the WhatsApp message database.
As mobile vulnerabilities go, this one looks like the keys to the castle. TNW’s report quotes someone from Facebook as responding:
It was reported and quickly addressed last month. We have no reason to believe this affected any users though of course we are always working to provide the latest security features to our users.
The company has also claimed that the exploit requires the user to have sent a malicious GIF themselves – something Awakened disputes. Having studied the video proof of concept, it looks more likely that Awakened is correct.
Time to worry?
Assuming users running affected Android versions have updated recently – this should happen automatically via the Play Store – the answer is no.
The WhatsApp version that patched the bug is 2.19.244, which appeared in early September.
More bothersome is that such a thing is possible at all. App exploits giving attackers control over a mobile device aren’t exactly thick on the ground even if WhatsApp itself has suffered the odd security flaw in recent times.
These include May’s report of a zero-day vulnerability that an “advanced cyber actor” had been exploiting to spy on a select group of WhatsApp users.
An even better fit might be a flaw discovered in October 2018 by Google that could have been used to compromise a user’s Android or iPhone device simply by getting them to answer a call.
Many of WhatsApp’s 1.5 billion users choose the software due to its privacy and security. These flaws a reminder that the feature list doesn’t include invulnerability.
Pete
The premise is not to trust any software. Maybe that is prudence.
Lohmar ASHAR
“This shows the exploit giving an attacker full reverse shell with root and complete access to all the files on that device”… what the… Can they even do that if the device is not already rooted? And even so, usually you get a prompt to allow the permission… If so I’d be interested in how it works… Could save me the hustle of flashing twrp and the root solution every time… :)
Paul Ducklin
Apparently not. In fact, the exploit discussed in the blog post linked to above is not enough to produce a remote shell at all – you need to compile the proof-of-concept code with a known, run-time memory address in order to avoid getting blocked by ASLR.
AFAICS, to make the exploit work ‘in the wild’ you would need to rewrite it to include another vulnerability of your own devising to compute the necessary memory address. As noted in the exploit article: “the address of system() and the gadget must be replaced by the actual address found by an information disclosure vulnerability (which is not covered in this blog post)“.
As for a root shell, the blog post says that the reported exploit, when provided with the right address for the system() command, “will trigger a remote shell in WhatsApp context“. From this I infer that you will not get root by default.
John E Dunn
Reading again, I misinterpreted what was being said. You’re right, an attacker meeting all the stated conditions will gain access to the WhatsApp database but not root for the device.