EXPLOIT DATABASE ANDROID USING GIF FILE WHATSAPP
iSpeech
In this blog post, I’m going to share about a double-free vulnerability that I discovered in WhatsApp for Android, and how I turned it into an RCE. I informed this to Facebook. Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. Facebook reserved CVE-2019-11932 for this issue.
The steps are as below:
0:16 Attacker sends GIF file to user via any channels
One of them could be as Document via WhatsApp (i.e. pressing the Paper Clip button and choose Document to send the corrupted GIF)
If the attacker is in the contact list of the user (i.e. a friend), the corrupted GIF is downloaded automatically without any user interaction.
0:24 User wants to send a media file to any of his/her WhatsApp friend. So the user presses on the Paper clip button and opens the WhatsApp Gallery to choose a media file to send to his friend.
Take note that the user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug. No additional touch after pressing WhatsApp Gallery is necessary.
0:30 Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit.
https://github.com/koral--/android-gif-drawable/tree/dev/android-gif-drawable/src/main/c
https://github.com/awakened1712/CVE-2019-11932
source
0 Responses to EXPLOIT DATABASE ANDROID USING GIF FILE WHATSAPP