The facebook-owned messaging app, WhatsApp, patched up an exploitable vulnerability that could allow an attacker to run a Remote Code Execution (RCE) by sending a malicious GIF to targeted WhatsApp accounts. The app has patched the zero-day on its latest update in WhatsApp version 2.19.244.
The vulnerability was discovered by a technologist and an information security enthusiast named Awakened, who, according to his blog post, is currently based in Singapore. The researcher was able to identify the bug that could exploit WhatsApp by sending a malicious GIF file and running an RCE through the GIF file.
“I’m going to share about a double-free vulnerability that I discovered in WhatsApp for Android, and how I turned it into an RCE. I informed this to Facebook. Facebook acknowledged and patched it officially in WhatsApp version 2.19.244. Facebook helped to reserve CVE-2019-11932 for this issue,” Awakened said in a blog post.
How does the bug work?
In the blog post, Awakened detailed the process by which the vulnerability works. The researcher said that there are two ways that an attacker sends a malicious GIF either as Document via WhatsApp (i.e., pressing the Paper Clip button and choose Document to send the corrupted GIF) or as the malware-infested GIF is downloaded directly if the target account has the attacker on its contact list.
The code embedded in the malicious GIF file will be executed when the target user presses its gallery (paper clip) button to send a file to one of the user’s contacts. Once the paper clip button is clicked, the remote execution code will be triggered, and the attacker will have access to a plethora of archived messages sent and received by the target account.
“When a WhatsApp user opens Gallery view in WhatsApp to send a media file, WhatsApp parses it with a native library called libpl_droidsonroids_gif.so to generate the preview of the GIF file. libpl_droidsonroids_gif.so is an open-source library with source codes available at https://github.com/koral–/android-gif-drawable/tree/dev/android-gif-drawable/src/main/c.” the researcher said.
The researcher also noted that the victim does not even need to click on the malicious GIF in order to run the remote execution code. The user only needs to open a preview of the GIF by pressing the paper clip button or the gallery to trigger its execution.
“Take note that the user does not have to send anything because just opening the WhatsApp Gallery will trigger the bug. No additional touch after pressing WhatsApp Gallery is necessary.” Awakened wrote. “Since WhatsApp shows previews of every media (including the GIF file received), it will trigger the double-free bug, and our RCE exploit.”
The researcher said that the exploit works well until WhatsApp version 2.19.230 as it was officially patched on version 2.19.244. Interestingly, Awakened noted that the bug will only work for Android versions 8.1 and 9.0, but does not work for Android 8.0 and below.
“In the older Android versions, double-free could still be triggered. However, because of the malloc calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.”
The researcher encouraged WhatsApp users to update to the latest version of the app in order to prevent falling victim to the said vulnerability.