WhatsApp RCE Vulnerability Allowed Hijacking Chats Via Malicious GIFs
Heads up WhatsApp users! If you haven’t updated your WhatsApp yet, you must do it now as a serious security flaw exposes your chats to attackers. A security researcher has discovered an RCE vulnerability in WhatsApp that allows hijacking chat sessions simply by sending malicious GIFs.
WhatsApp RCE Vulnerability Discovered
According to the report shared by a researcher with the alias ‘Awakened’, a serious bug threatens the privacy of WhatsApp users. As discovered, a double-free RCE vulnerability exists in WhatsApp Messenger exploiting which allows for hijacking chat sessions.
To exploit the flaw, an attacker would simply need to send a malicious GIF to the victim. An adversary could trigger the flaw in two ways.
First, via local privilege escalation through a malicious app installed on the target device. According to the researcher,
The app collects addresses of zygote libraries and generates a malicious GIF file that results in code execution in WhatsApp context.
This would allow stealing files in WhatsApp sandbox.
Second, via remote code execution by sending a malicious GIF. As explained by the researcher,
Pairing with an application that has a remote memory information disclosure vulnerability (e.g. browser), the attacker can collect the addresses of zygote libraries and craft a malicious GIF file to send it to the user via WhatsApp (must be as an attachment, not as an image through Gallery Picker).
When the recipient opens the Gallery view in WhatsApp, the GIF would trigger the remote shell on the target device:
Awakened has demonstrated the exploit in the following video. (Click here to view the demo in case of any error) . Whereas, the detailed technical write-up is available here.
The proof of concept exploit code can be found here
Update WhatsApp Now!
The vulnerability CVE-2019-11932 discovered by Awakened allegedly affected WhatsApp versions until 2.19.230. It primarily posed a threat to Android 8.1 and 9.0. this is because for Android versions before 8.1, triggering the exploit crashes the app before the hack.
In the older Android versions, double-free could still be triggered. However, because of the malloc calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.
After discovering the bug, the researcher reported the matter to Facebook for further action. Following his report, Facebook patched the flaw with WhatsApp version 2.19.244.
Gloss