top of page
Writer's pictureMatthew Twells

WhatsApp with all these RCEs?


Written in Conjunction with Information Risk Management (IRM) Ltd. and was first published at www.irmsecurity.com/resources


Usually the process goes like this:

You’re a bug hunter or a security researcher and you’ve picked your target. You spend a few weeks or even months combing through code and tampering with every input field you can find, looking for a way in. Or better yet, a way to re-purpose your target to do something it shouldn’t.


Sometimes, you can’t find anything worth writing home about, and you move on. But let’s say you do find something – something that lets you either break right through into the inner workings of a program or even control it yourself remotely.

What you’ve got there is what is called a Remote Command Execution (RCE) vulnerability, the jackpot prize of any bug bounty hunter – and what you do with that next depends entirely what side of the law you want to stay on.


Responsible Disclosure


A long-standing tradition of responsible disclosure to the vendor, and waiting for a response and hopefully a monetary reward of some description is usually what happens next.

It’s the entire business model of companies like HackerOne and BugCrowd – outsourcing security research and code review to the masses.


Once the vendor has had chance to make their fixes and hopefully pay out the reward, usually that vulnerability gets given a CVE (Common Vulnerabilities and Exposures) number and is officially added to security databases worldwide.


You get to put a CVE discovery to your name, some money in the bank (or sometimes just a t-shirt, depending on how cheap your target company is) and you’ve verifiably made the internet a safer place – warm fuzzy feelings all round!


OR……..you don’t tell anyone, and you either use the vulnerability you’ve discovered to do generally nasty and untoward things to the target company – or sell the exploit code on the Dark Web for considerable sums of money (RCE vulnerabilities are worth 5 figures or more depending on the target).

You generally clean out your target’s private and customer data and re-purpose that information to repeat the process on bigger and better prey until you get caught and go to prison.





This might all sound very far away, and not at all connected to your day to day life – but trust us when we say that it very much is.

2019 has been a bumper year for this sort of vulnerability, and that’s only counting those that decided to go the responsible, legal route afterwards!

The software affected is used by millions of Internet and technology users and we virtually guarantee you’re using at least one of the applications that have been breached this year.


For example, let’s start with Windows.

Bluekeep (2019-0708) is the common name for a critical RCE vulnerability in a protocol pretty much every single Windows computer has called Remote Desktop Protocol (RDP).

Usually this is used by technical support professionals or your IT manager to save time or enact more technical fixes that are hard to explain over the phone. It’s part of the suite of protocols that the Windows operating system supports and is definitely at the least on your Windows PC, if you have one.

Bluekeep lets a remote user (could be the other side of the world) connect to your computer via RDP and make specially crafted requests to your computer. Your computer interprets these requests as legitimate and the attacker gets to execute whatever they like on your computer.

This means everything you have on that affected computer is up for grabs – documents, pictures, details, saved passwords – all of it can be viewed,changed or stolen.


Not convinced yet? How about WhatsApp?


2019 has not been a great year for the “privacy-focused” messenger application – with not one, but two major vulnerabilities found in its code.

The first was an attack (CVE-2019-3568) that could remotely install surveillance software on smartphones , just by simply calling the victim’s phone. The WhatsApp call doesn’t have to be answered and the attack will erase the call logs, so you won’t be able to trace the attacker back.


This worked by exploiting a bug in the part of the application that dealt with translating your voice into data to send rigged requests to the target phone, and abusing how Whatsapp responds to them to install software that can monitor your calls and execute commands on your phone without your knowledge.

This means phone-tapping , message stealing and password theft all become possibilities once remote code execution has been established.


The second is an attack that resulted in the victim’s phone being compromised by just sending a corrupted GIF to the victim, and then waiting for them to open up their gallery.

The internet’s favourite method of responding sarcastically to Facebook comments, ironically repurposed to attack an app owned by Facebook…


A Singaporean security researcher calling himself Awakened, discovered this bug and released a now-infamous video showing him demonstrating this attack on a phone using WhatsApp, controlling the phone via his laptop and hopefully scaring most of the people watching to immediately update their phones. His demonstration of this attack is below:



Exim, a business email application with millions of users has had a similar RCE vulnerability discovered in the last few months, and the list truly does go on, and on , and on…

And that’s just 2019!


There are thousands of people out there whose livelihood depends on cracking into the software you use every day, not all of them are on the right side of the law.

Patch your systems and update your phones, and you should make a hacker’s life more difficult, and make your network and personal life a little more secure.

31 views0 comments

Recent Posts

See All

Comentarios


bottom of page