Conversation

infosec Twitter excited about yet another Linux priv escalation bug 🥱(who cares, unix priv separation 50 years of fail) but no comments about the WhatsApp RCE without any boomer memory corruption technique being used? Thread

5

103

327

(asking young nephew for help with this thread thing), Bugtraq is closed? 2/

1

25

Chrome SOP bypass CVE-2020-6516 HTML sent by attacker can access any file in /sdcard. Bad

1

5

36

\o WhatsApp stores SSL/TLS secrets and some useful info for attackers in /sdcard. Bad. Attackers can get the secrets from JS code in a HTML attachment and use them to hijack connections between WhatsApp and servers. Bad but ehhh2eeehh encryption ...

1

20

73

o/ The first time a user attempts to use a photo filter a .zip archive is downloaded from static.whatsapp.net/downloadable?c and extracted. Attackers can intercept the request (using the stolen SSL secrets) to send a malicious .zip insted. Can you guess? Yes ../../../

2

7

34

../ To make this RCE chains easier WhatsApps stores native libraries in /data/data/com.whatsapp/files/decompressed/libs.spk.zst 🤷‍♂️attackers can use the .zip bug to overwrite any of them (I would go for the Rust ones) and execute arbitrary code.

2

8

37

Replying to

A lot of apps use this anti-pattern instead of using the standard approach. The legacy approach has the package manager extract your libraries. Same permissions as the apk so the app can't write to them. The modern approach maps them directly from the apk, saving a lot of space.

1

1

Replying to

and

It's probably to save space compared to the legacy standard approach. They can use a better algorithm than DEFLATE and compress them together instead of separately. It's very wasteful compared to the standard approach of mapping libraries directly from apks like other resources.

6:15 PM · Apr 15, 2021Twitter Web App

Replying to

and

I don't remember when they moved the code for mapping libraries from the apk from Chromium to AOSP but it's a standard feature now. They could have used Chromium's code for handling it on legacy Android versions. Firefox has a particularly horrifying take on this nonsense.

1