New issue
Advanced search Search tips

Issue 1654 link

Starred by 7 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 9
Cc:



Sign in to add a comment

WhatsApp: Heap Corruption in RTP processing

Project Member Reported by natashenka@google.com, Aug 31

Issue description

Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet.

08-31 15:43:50.721  9428  9713 F libc    : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x7104200000 in tid 9713 (Thread-11)
08-31 15:43:50.722   382   382 W         : debuggerd: handling request: pid=9428 uid=10119 gid=10119 tid=9713
08-31 15:43:50.818  9720  9720 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
08-31 15:43:50.818  9720  9720 F DEBUG   : Build fingerprint: 'google/angler/angler:7.1.2/N2G48H/natash11071827:userdebug/dev-keys'
08-31 15:43:50.818  9720  9720 F DEBUG   : Revision: '0'
08-31 15:43:50.818  9720  9720 F DEBUG   : ABI: 'arm64'
08-31 15:43:50.818  9720  9720 F DEBUG   : pid: 9428, tid: 9713, name: Thread-11  >>> com.whatsapp <<<
08-31 15:43:50.818  9720  9720 F DEBUG   : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7104200000
08-31 15:43:50.819  9720  9720 F DEBUG   :     x0   00000071041ffde8  x1   00000071047796b0  x2   0000000000000000  x3   0000000000000030
08-31 15:43:50.819  9720  9720 F DEBUG   :     x4   0000000000000000  x5   0000000000000040  x6   00000071041fffd8  x7   8181818181818181
08-31 15:43:50.819  9720  9720 F DEBUG   :     x8   8181818181818181  x9   8181818181818181  x10  8181818181818181  x11  8181818181818181
08-31 15:43:50.819  9720  9720 F DEBUG   :     x12  8181818181818181  x13  8181818181818181  x14  8181818181818181  x15  0000000000000000
08-31 15:43:50.819  9720  9720 F DEBUG   :     x16  0000007110a468a0  x17  000000712f3b0908  x18  0000000000000000  x19  0000000000000280
08-31 15:43:50.819  9720  9720 F DEBUG   :     x20  00000071088744a8  x21  0000000000000280  x22  00000071256a5a28  x23  0000007104ff9b70
08-31 15:43:50.819  9720  9720 F DEBUG   :     x24  000000000000100d  x25  000000000000120d  x26  0000007104779480  x27  0000007108830828
08-31 15:43:50.819  9720  9720 F DEBUG   :     x28  0000000000151f80  x29  00000071043fe540  x30  000000711060a010
08-31 15:43:50.819  9720  9720 F DEBUG   :     sp   00000071043fe320  pc   000000712f3b0a5c  pstate 0000000060000000
08-31 15:43:50.825  9720  9720 F DEBUG   : 
08-31 15:43:50.825  9720  9720 F DEBUG   : backtrace:
08-31 15:43:50.825  9720  9720 F DEBUG   :     #00 pc 000000000001aa5c  /system/lib64/libc.so (memcpy+340)
08-31 15:43:50.825  9720  9720 F DEBUG   :     #01 pc 00000000000c500c  /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825  9720  9720 F DEBUG   :     #02 pc 00000000000c7d60  /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825  9720  9720 F DEBUG   :     #03 pc 00000000000f88d4  /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825  9720  9720 F DEBUG   :     #04 pc 00000000000f6948  /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825  9720  9720 F DEBUG   :     #05 pc 00000000000f0ef4  /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825  9720  9720 F DEBUG   :     #06 pc 00000000000f0630  /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825  9720  9720 F DEBUG   :     #07 pc 00000000000eef3c  /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825  9720  9720 F DEBUG   :     #08 pc 00000000001272e0  /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825  9720  9720 F DEBUG   :     #09 pc 0000000000303d20  /data/app/com.whatsapp-2/lib/arm64/libwhatsapp.so
08-31 15:43:50.825  9720  9720 F DEBUG   :     #10 pc 0000000000068734  /system/lib64/libc.so (_ZL15__pthread_startPv+208)
08-31 15:43:50.825  9720  9720 F DEBUG   :     #11 pc 000000000001da7c  /system/lib64/libc.so (__start_thread+16)

This issue can occur when a WhatsApp user accepts a call from a malicious peer. It affects both the Android and iPhone clients.

To reproduce the issue:

1) Apply the attached patch to libwhatsapp.so in the Android application using bsdiff. this patch intercepts a memcpy right before srtp_protect is called, and alters the RTP buffer. The SHA1 of the original library I used was cfdb0266cbd6877e5d146ddd59fa83ebccdd013d, and the SHA1 of the modified library is 042256f240367eaa4a096527d1afbeb56ab2eeb4.

2) Build the attached file, natalie2.c for the Android device the application is running on, and copy it to /data/data/com.whatsapp/libn.so.

3) Copy the files in the attached folder into /data/data/com.whatsapp/files so that /data/data/com.whatsapp/files/t0 is a valid location.

4) Restart WhatsApp and call the target device and pick up the call. The deivce will crash in a few seconds.

Logs from the crashes on Android and iPhone are attached. Note that I modified the Android target binary to disable WhatsApp's custom crash handling. The iPhone WhatsApp install was unmodified.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.

 
patch.diff
428 bytes Download
natalie2.c
1.5 KB View Download
newfiles.zip
17.6 MB Download
androidlog
746 KB View Download
WhatsApp-2018-08-31-154544.ips
90.2 KB Download
Project Member

Comment 1 by natashenka@google.com, Oct 9

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Project Member

Comment 2 by natashenka@google.com, Oct 9

This issue was fixed on September 28 in the Android client and on October 3 in the iPhone client.
Did you test sending such a packet to a client on Windows 10 Mobile, i.e. is the status for Windows 10 Mobile unknown or unaffected?
Can anybody confirm, if the Android version 2.18.293 (24th Sep 2018) is still vulnerable? It is still available on Goolge Playstore.
Also whatsapp has a privacy leak as when a call is initiated we see the STUN status, which is easy to identify inside a network which phone/IP is calling. 

I use this to exploit a user. I generate a whatsapp call to him, check inside a big network which one has STUN activity and then i have his identity reveal.
I have abig issue or aproblem  that corrupting the old chat storage in my whatsApp account..I noticed  an autodelete of the eariest textmessages of my oldest chat the delete is progressive daily and gradual  it delete three to four text messges one by one..without any detected reason.. auto delete starts once I swish on mobile network.. I tried many times to fix this bug ..I reinstalled the app ..I did changed the android divice..but the bug is still existed and runnig till the current moment..it's really frustrating me so much affecting me badly that I loose my message storage conteniously  without any detected cause.I did not have any application or antivirus app for cleaning . I think it's technical error in server of my account of whatsApp..not related to device..but they did not reply me or give me a clear answer..and I sent more than 30 requests to whatsApp support mail to get help but they have not help till now...what can I do to stop  this damage ..I need help..if you please tell me to whom should I refer...what can I do to stop this  unexplained process .. should I delete my account..I feel insecure and I loose my privacy...please guide me..thanks

Comment 7 Deleted

Project Member

Comment 8 by natashenka@google.com, Nov 27

Labels: CVE-2018-6344

Sign in to add a comment