Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

WhatsApp uses a native library called libpl_droidsonroids_gif.so in order to do previews. This is the main target for the attack.

When doing previews, some reallocation's are done for different buffers. When a frame is of size 0 the rasterBits is freed. What happens if we have 2 frames of size 0? Well, this frees this buffer twice, causing a double free vulnerability!

On the application, the Double Free vulnerability will result in the same buffer being added twice into the heap allocator. This means that two consecutive allocations would result in the same buffer twice! It should be mentioned that each GIF is parsed twice, for whatever reason.

With the double free bug, what actually happens? The GFInfo struct is what contains rasterBits. Because we can control the size of the allocations, we can make GFInfo the same size as rasterBits! With both of the allocation as the same size, BOTH GFInfo AND rasterBits will point to the same spot in memory! Woah!

GFInfo has TWO function pointers that we can overwrite, making it a great target for compromise. From here, gaining code execution is pretty trivial... call system and find a gadget that allows for the first parameter to be set.

One thing that is not covered, is an Info leak. To exploit this, the base address of libc.so and libhwui.so. To me, it is really interesting that this RCE is such a big deal, when there is NO leak with it... this makes the vulnerability unexploitable and targeted, as a custom file must be made for each user you attack, depending on the locations of the above libraries.