A security expert by the online name “Awakened” has revealed a double-free flaw in WhatsApp for Android and established how to leverage on it to remotely perform random code on the target device.

The researcher reported the problem to Facebook that recognized and addressed the fault with the issuance of WhatsApp version 2.19.244.

The researcher exposed that the fault rests in the DDGifSlurp in decoding.c in libpl_droidsonroids_gif.

WhatsApp has lately fixed a serious security flaw in its app for Android, which remained unrepaired for at least 3 months after being exposed. If abused, it could have let remote hackers affect Android devices and possibly steal files and chat messages.

“When the WhatsApp Gallery is opened, the said GIF file triggers the double-free bug on rasterBits buffer with size sizeof(GifInfo). Interestingly, in WhatsApp Gallery, a GIF file is parsed twice. When the said GIF file is parsed again, another GifInfo object is created.” reads a technical analysis published by the expert. “Because of the double-free behavior in Android, GifInfo info object and info->rasterBits will point to the same address. DDGifSlurp() will then decode the first frame to info->rasterBits buffer, thus overwriting info and its rewindFunction(), which is called right at the end of DDGifSlurp() function.”

The expert created the code that could produce a tainted GIF file that could exploit the flaw.

Then he imitated the text into a GIF file and sent it as Document with WhatsApp to another WhatsApp user. The expert clarified that the created GIF file could not be sent as a Media file, because WhatsApp tries to change it into an MP4 before to send it. The susceptibility will be activated when the target user that has received the malevolent GIF file will open WhatsApp Gallery to send a media file to his friend.

The exploit works for Android 8.1 and 9.0, but the researcher clarified that it does not work for Android 8.0 and below.

“In the older Android versions, double-free could still be triggered. However, because of the calls by the system after the double-free, the app just crashes before reaching to the point that we could control the PC register.” concludes the expert.

Leave a Reply

Your email address will not be published. Required fields are marked *