The WhatsApp vulnerability that generates a buffer overflow

Even WhatsApp, the famous instant messaging app, is not safe due to a vulnerability unveiled a few days ago that generates buffer overflows and, therefore, could have made the chat content decrypted. In fact, the Check Point Research (CPR) research team has just released the details of a possible attack related to the CVE-2020-1910 vulnerability discovered last November . It should be noted that WhatsApp, meanwhile, has obviously released a later version of the application that corrects the problem and secures users.

The flaw in the system: a "particular" image

Let's try to understand the causes that led to highlighting and making known the CVE-2020-1910 vulnerability. The researchers, in fact, started by modifying some images by applying AFL fuzzing techniques. American Fuzzy Lop (AFL) first tries to execute a command (such as open an image) and then tries to reduce the input to the minimum possible to trigger the action. After that, it introduces some noise in the input (in this case the image) in order to identify possible system crashes (in which case a bug is found).

The CVE-2020-1910 vulnerability was analyzed by Check Point Research researchers and fixed by WhatsApp in version 2.21.1.13.

So they did with WhatsApp, in particular by interacting with the libraries used for the application of filters. In fact, the application is not only used for the most classic messaging but also to exchange large quantities of images, videos and multimedia contents every day.

Buffer overflow for WhatsApp

Sending a modified image to a WhatsApp user, modifying it, by applying filters and then sending the modified image, actually creates a possible loss of sensitive information . The problem lies in the applyFilterIntoBuffer () function of the libwhatsapp.so library which accepts any type of image without special controls.

In particular, an image is like an array of data where each group of 4 bytes represents a pixel according to the RGBA encoding . Therefore, the function assumes the use of this encoding and scrolls the image (the array) in blocks of 4. However, if the image is made "to measure" so that each pixel is a single byte , the function will try to read 4 times the amount of space in the source buffer. The result is access to unauthorized parts of memory caused by buffer overflows in reading the source image with 1 byte pixels .

It is clear that such an attack scenario involves high user interaction and makes it rather unlikely but not impossible. Certainly the level of difficulty is nothing short of elementary since very few tools are needed to be able to have portions of WhatsApp memory. It is also true that creating a dump of WhatsApp chats using this technique is not very feasible due to the limited amount of recoverable information and the high request for cooperation from the victim.

buffer overflow whatsapp
Applying a filter to an image in WhatsApp generates a dangerous buffer overflow, with access to potentially sensitive portions of data.

WhatsApp's response to the vulnerability

The company has naturally taken the appropriate steps to secure its users. Version 2.21.1.13 introduced the vulnerability fix and in the February bulletin WhatsApp reassured users of the security of its application. In particular, the quality of the end-to-end encryption protocol which guarantees the protection of the communication channel between sender and recipient.

In fact, while allowing access to unauthorized portions of memory, the problem is inherent in other application logics and not in the communication encryption protocol. However, WhatsApp has recommended that you always keep your operating system and application up to date with the latest security patches. We at Close Up Engineering can not help but subscribe to these suggestions that are the basis for keeping yourself protected.

The article WhatsApp Vulnerability Generating Buffer Overflow comes from Tech CuE | Close-up Engineering .