Security researcher Awakened has identified a vulnerability in the Android version of WhatsApp messaging app which could allow attackers to launch remote code execution attacks (with privilege elevation) on victims.
Exploiting the flaw, however, is a rather complicated affair: involves a malicious actor sending a forged GIF file to a victim in a message on WhatsApp (or any other channel) .
After a victim has downloaded the GIF file onto his device, the second attack's step happens when he opens the WhatsApp Gallery in order to send a media file to another user from WhatsApp.
Now, since WhatsApp shows previews of every media (including the file received), the malicious GIF will trigger the RCE exploit.
Here a brief video of the attack technique:
0:16 Attacker sends GIF file to user via any channels
- One of them could be as Document via WhatsApp (i.e. pressing the Paper Clip button and choose Document to send the corrupted GIF)
- If the attacker is in the contact list of the user (i.e. a friend), the corrupted GIF is downloaded automatically without any user interaction.
0:24 User wants to send a media file to any of his/her WhatsApp friend. So the user presses on the Paper clip button and opens the WhatsApp Gallery to choose a media file to send to his friend.
- Take note that the user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug. No additional touch after pressing WhatsApp Gallery is necessary.
0:30 Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug and our RCE exploit.
This double-free bug (CVE-2019-11932) relies on the call of the same memory location twice: if this operation involve the crash of the app may be exploited for malicious purposes.
In this case, when a user opens the gallery from WhatsApp in order to view or send a media file, WhatsApp parses it with a native open-source library called libpl_droidsonroids_gif.so to generate the preview of the GIF file:
A GIF file contains multiple encoded frames.
To store the decoded frames, a buffer with name rasterBits is used. If all frames have the same size, rasterBits is re-used to store the decoded frames without re-allocation.
However, rasterBits would be re-allocated if one of three conditions below is met:
- width * height > originalWidth * originalHeight
- width - originalWidth > 0
- height - originalHeight > 0
Re-allocation is a combination of free and malloc which can trigger an event that allows an attacker to exploit the vulnerability.
Once exploited the vulnerability an attacker may perform both a privilege escalation and remote code execution: so a crafted GIF file may execute malicious commands on the device.
For more technical details, please refers to Awakened's analysis.
Is there a fix?
According to Awakened's research:
I informed this to Facebook. Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. Facebook helped to reserve CVE-2019-11932 for this issue.
WhatsApp users, please do update to latest WhatsApp version (2.19.244 or above) to stay safe from this bug.