WhatsApp – RTP Processing Heap Corruption

• Exploit Database
• 34 阅读

• 作者： Google Security Research
  日期： 2018-10-10
• 类别：

  • dos
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/45579/

• Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet.
  
  08-31 15:43:50.72194289713 F libc: Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7104200000 in tid 9713 (Thread-11)
  08-31 15:43:50.722 382 382 W : debuggerd: handling request: pid=9428 uid=10119 gid=10119 tid=9713
  08-31 15:43:50.81897209720 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
  08-31 15:43:50.81897209720 F DEBUG : Build fingerprint: 'google/angler/angler:7.1.2/N2G48H/natash11071827:userdebug/dev-keys'
  08-31 15:43:50.81897209720 F DEBUG : Revision: '0'
  08-31 15:43:50.81897209720 F DEBUG : ABI: 'arm64'
  08-31 15:43:50.81897209720 F DEBUG : pid: 9428, tid: 9713, name: Thread-11>>> com.whatsapp <<<
  08-31 15:43:50.81897209720 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7104200000
  08-31 15:43:50.81997209720 F DEBUG : x0 00000071041ffde8x1 00000071047796b0x2 0000000000000000x3 0000000000000030
  08-31 15:43:50.81997209720 F DEBUG : x4 0000000000000000x5 0000000000000040x6 00000071041fffd8x7 8181818181818181
  08-31 15:43:50.81997209720 F DEBUG : x8 8181818181818181x9 8181818181818181x108181818181818181x118181818181818181
  08-31 15:43:50.81997209720 F DEBUG : x128181818181818181x138181818181818181x148181818181818181x150000000000000000
  08-31 15:43:50.81997209720 F DEBUG : x160000007110a468a0x17000000712f3b0908x180000000000000000x190000000000000280
  08-31 15:43:50.81997209720 F DEBUG : x2000000071088744a8x210000000000000280x2200000071256a5a28x230000007104ff9b70
  08-31 15:43:50.81997209720 F DEBUG : x24000000000000100dx25000000000000120dx260000007104779480x270000007108830828
  08-31 15:43:50.81997209720 F DEBUG : x280000000000151f80x2900000071043fe540x30000000711060a010
  08-31 15:43:50.81997209720 F DEBUG : sp 00000071043fe320pc 000000712f3b0a5cpstate 0000000060000000
  08-31 15:43:50.82597209720 F DEBUG : 
  08-31 15:43:50.82597209720 F DEBUG : backtrace:
  08-31 15:43:50.82597209720 F DEBUG : #00 pc 000000000001aa5c/system/lib64/libc.so (memcpy+340)
  08-31 15:43:50.82597209720 F DEBUG : #01 pc 00000000000c500c/data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
  08-31 15:43:50.82597209720 F DEBUG : #02 pc 00000000000c7d60/data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
  08-31 15:43:50.82597209720 F DEBUG : #03 pc 00000000000f88d4/data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
  08-31 15:43:50.82597209720 F DEBUG : #04 pc 00000000000f6948/data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
  08-31 15:43:50.82597209720 F DEBUG : #05 pc 00000000000f0ef4/data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
  08-31 15:43:50.82597209720 F DEBUG : #06 pc 00000000000f0630/data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
  08-31 15:43:50.82597209720 F DEBUG : #07 pc 00000000000eef3c/data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
  08-31 15:43:50.82597209720 F DEBUG : #08 pc 00000000001272e0/data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
  08-31 15:43:50.82597209720 F DEBUG : #09 pc 0000000000303d20/data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
  08-31 15:43:50.82597209720 F DEBUG : #10 pc 0000000000068734/system/lib64/libc.so (_ZL15__pthread_startPv+208)
  08-31 15:43:50.82597209720 F DEBUG : #11 pc 000000000001da7c/system/lib64/libc.so (__start_thread+16)
  
  This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.
  
  To reproduce the issue:
  
  1) Apply the attached patch to libwhatsapp.so in the Android application using bsdiff. this patch intercepts a memcpy right before srtp_protect is called, and alters the RTP buffer. The SHA1 of the original library I used was cfdb0266cbd6877e5d146ddd59fa83ebccdd013d, and the SHA1 of the modified library is 042256f240367eaa4a096527d1afbeb56ab2eeb4.
  
  2) Build the attached file, natalie2.c for the Android device the application is running on, and copy it to /data/data/com.whatsapp/libn.so.
  
  3) Copy the files in the attached folder into /data/data/com.whatsapp/files so that /data/data/com.whatsapp/files/t0 is a valid location.
  
  4) Restart WhatsApp and call the target device and pick up the call. The deivce will crash in a few seconds.
  
  Logs from the crashes on Android and iPhone are attached. Note that I modified the Android target binary to disable WhatsApp's custom crash handling. The iPhone WhatsApp install was unmodified.
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45579.zip