NEW BUG ON WHATSAPP BASED ON MP4 VIDEOS FLAWS

A new bug on Whatsapp, based on MP4 videos flaws, has been revealed by Facebook. This vulnerability could lead to denial of service attacks or remote code execution. Facebook has revealed the existence of a serious vulnerability resulting a potential remote code execution attacks in Whatsapp messaging software. Last week, the tech giant said in a security advisory that the Whatsapp bug, known as CVE-2019-11931, is a stack-based buffer overflow issue that can be triggered by attackers sending .MP4 video files to the victims.

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100.

Description

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100.

Although there are not many technical details available, Facebook has presented this problem as being caused by the way the application parses MP4 elementary stream metadata. If exploited, the vulnerability can lead to denial of service (DoS) or remote code execution (RCE) attacks.


PROOF OF CONCEPT

In October, a Awakened a cybersecurity researcher discovered a free dual vulnerability, CVE-2019-11932, that could be used in attacks to compromise chat sessions, files, and messages. This double free vulnerability in the DDGifSlurp function in decoding.c in libpl_droidsonroids_gif before 1.2.15, as used in WhatsApp for Android before 2.19.244, allows remote attackers to execute arbitrary code or cause a denial of service.

When a WhatsApp user opens Gallery view in WhatsApp to send a media file, WhatsApp parses it with a native library called libpl_droidsonroids_gif.so to generate the preview of the GIF file. libpl_droidsonroids_gif.so is an open-source library with source codes available at Github.

A GIF file contains multiple encoded frames. To store the decoded frames, a buffer with name rasterBits is used. If all frames have the same size, rasterBits is re-used to store the decoded frames without re-allocation. However, rasterBits would be re-allocated if one of three conditions below is met:

  • Width height > originalWidth originalHeight
  • Width - originalWidth > 0
  • Height - originalHeight > 0

Re-allocation is a combination of free and malloc. If the size of the re-allocation is 0, it is simply a free. Let say we have a GIF file that contains 3 frames that have sizes of 100, 0 and 0.

  • After the first re-allocation, we have info->rasterBits buffer of size 100.
  • In the second re-allocation of 0, info->rasterBits buffer is freed.
  • In the third re-allocation of 0, info->rasterBits is freed again.

This results in a double-free vulnerability. The triggering location can be found in decoding.c:

int_fast32_t widthOverflow = gifFilePtr->Image.Width - info->originalWidth;
int_fast32_t heightOverflow = gifFilePtr->Image.Height - info->originalHeight;
const uint_fast32_t newRasterSize =
        gifFilePtr->Image.Width * gifFilePtr->Image.Height;
if (newRasterSize > info->rasterSize || widthOverflow > 0 ||
    heightOverflow > 0) {
    void *tmpRasterBits = reallocarray(info->rasterBits, newRasterSize,
                                       sizeof(GifPixelType));
    if (tmpRasterBits == NULL) {
        gifFilePtr->Error = D_GIF_ERR_NOT_ENOUGH_MEM;
        break;
    }
    info->rasterBits = tmpRasterBits;
    info->rasterSize = newRasterSize;
}

Another set of interesting vulnerabilities in the email application was revealed by Check Point a month ago. The set of bugs "could allow the actors of the threat to intercept and manipulate messages sent in private and group conversations," said the researchers, and could be used as a weapon to exploit the functions of the "quote" group, answers and private messages. More information about this vulnerability can be found in the article (POC) wrote by Awakened.


A NECESSARY UPDATE

Users are advised to update their software versions to mitigate the risk of exploitation. However, there do not appear to be any reports of vulnerability exploited actively in the wild. Whatsapp is constantly working to improve the security of our service, said a Facebook spokesman. "We publish public reports on potential issues that we have resolved, in line with industry best practices, in which case there is no reason to believe that users have been affected," said the American giant.