MAJOR EXPLOIT: This GIF can Backdoor any Android Phone (sort of)
ฝัง
- เผยแพร่เมื่อ 27 มิ.ย. 2024
- In this video, we take a deep dive into the inner mechanics of a double free vulnerability within Android OS, allowing attackers to gain complete access to any Android mobile phone with an RCE (remote code execution). This vulnerability was exploited by creating a custom GIF file and sending it to a user in WhatsApp. Whether you're a pen tester, security researcher, or cyber security expert, having a solid foundation in low level languages, especially C, is critical.
0:00 - Overview
0:35 - GIFs
1:02- GIFs within Android
2:10- Memory / Pointers
3:35 - Double Free
6:02 - WhatsApp Payload
8:24 - RCE
WE HAVE A DISCORD NOW! / discord
Original report by security researcher Awakened
awakened1712.github.io/hackin...
Double free within android-gif-drawable
github.com/koral--/android-gi...
MUSIC CREDITS:
LEMMiNO - Cipher
• LEMMiNO - Cipher (BGM)
CC BY-SA 4.0
LEMMiNO - Nocturnal
• LEMMiNO - Nocturnal (BGM)
CC BY-SA 4.0
#programming #software #softwareengineering #computerscience #code #programminglanguage #softwaredevelopment #hacking #hack #cybersecurity #exploit #tracking #softwareengineer #vulnerability #pentesting #privacy #spyware #malware #cyber #cyberattack #bugbounties #ethicalhacking #mobile #android #doublefree #malloc #realloc #GIF #mobilesecurity #lowlevelsecurity #zeroday #zero-day #cybersecurityexplained #bugbounty #compiler #memorymanagement #kernel #operatingsystems #OS - วิทยาศาสตร์และเทคโนโลยี
WE HAVE A DISCORD NOW! discord.gg/WYqqp7DXbm
Is this Exploit still exist ? What is the cve ?
@TDS2023 Thank you! I appreciate the words! Glad you liked it 😊
@ytg6663 It is no longer exploitable, as it was fixed both within a WhatsApp patch (2.19.244), and within the android-gif-drawable library. Facebook reserved CVE-2019-11932 for this issue.
@@DanielBoctor Why do you speak with upspeak? its fvcking annoying
@@DanielBoctorcan this exploit happen anywhere other That's WhatsApp? I don't use WhatsApp?
Kinda cool, the principles of these kinds of low level exploits are not so different from how speedrunners achieve arbitrary code execution in old games, mess around with pointers until they point to the memory address of the code you want to run next, and they do this by exploiting glitches during gameplay
How to obtain bedrock in minecraft:
very cool, never thought about it like that
They're both the same thing. Both involve injecting code into memory by exploiting a vulnerability.
true
This was exactly my thought
as soon as i realized the gif struct had a function pointer it was over
LOOOOOOOOL that will do it
Hi bro,could you teacher me how to do it?
Genuinely, what a great explanation of the double free vulnerability! Really love the detail and this can be very useful for anyone getting into binary exploitation techniques.
For me this really solidified the basics I saw here and there, with a nice practical example
Thanks for the wholesome comment, it means a lot
@@DanielBoctor- Complicated exploit but well dissected. BTW you sound a bit like the male version of Christina Hall. hehe
do I really? I can't say I notice the resemblance myself lol. I'm glad your liking my videos, thanks for the support
@@DanielBoctor- Check out the way Christina Hall talks in her "Jacuzzi" commercial,. enunciating the end of words. lol
Amazing explanation! I like how you managed to dive pretty deep without making the video super long
Fantastic video Daniel, I cant wait for the next video!
Thank you
One of the best explanations ever of an exploit that goes into technical detail!
You are one awesome fella thanks for the support
Awesome video🔥 RCE is so cool, tnx for explaining everything!!
I really is lol. Glad you have you here! Thanks for the kind words, keep on doing what you're doing 😊
I like the way you explain, it's amazing and interesting, thank you. 👍🏻
I'm glad you liked it! Means a lot
Great comparison between these two channels, got me thinking more about my upcoming videos.
And I have asked my self the question you end on I just need to make it more clear who I'm targeting in my titles
I'm targeting a little more than that lol but I don't have a good time to get it back on the way home and I will be there in a little while to get my package in my car so I don't have anything to eat 😊
Your videos are great! Thanks so much.
Thanks! Glad you liked it 😊
What a GOAT!!! The way you edit the videos to match as you explain is amazing, specially the “under the hood” explanations! Legend in the making
THANK YOU INIVEK ❤️❤️❤️❤️❤️❤️
epic video, didn’t understand it much but it was cool, maybe even better than your previous one
LOL, it do be like that sometimes
Good video.
the title however is misleading, it's not ANY android phone it's android phones that already have a malicious application installed and whatsapp, additionally the title implies that the exploit can be used right now, even though it was patched years ago by both whatsapp and android
I agree but it’s for the views and he deserves the views. Very well put video. Very informative.
@@AlienzOnlyBruhindeed
also i would argue that this is really just a whatsapp exploit because the reverse shell gained is just the same privileges as whatsapp is currently allowed by android, so access to all user files if the user ever had previously attached something in whatsapp and allowed the permission, also the "android gif library" isn't used by all android apps not by a long shot, it just happened to be imported into whatsapp's source code and be what whatsapp used to render gifs, there isn't any real priviliege escalation exploit here
@@AlienzOnlyBruhme when the judge asks why i robbed the bank
@@AlienzOnlyBruhI mean I'm disliking and leaving 34 seconds in lol
amazing video and very interesting topic, this deserves way more attention! you have my sub, keep up the good work!
Thank you! Glad you have you apart of the community
How the researcher discovered gifs were rendered twice in whatsapp is very interesting. I mean i know some people who does reversing on major android apps or iphone app ipa files but i dont know they do the research with that depth of knowlege.
Just found your channel. Great stuff!!
Glad to have you here!
"for whatever reason they're parsed twice" sounds like intentional backdoor to me.
More like a 'performance bug' or some thumbnail generation, etc... Let's say you wanna show the first frame of the gif as a preview and the user should tap on the image to actually start playing the gif. You can do it different ways but it is easy to image they choose a method to reread the gif twice. First to acquire an initial frame and a second time when the user want to play the gif.
MAN YOUR CHANNEL IS INTERESTING! KEEP IT UP!
THANK YOU!!! GLAD TO HAVE YOU HERE 😊
Great video. Looking forward to seeing future content.
Glad you liked it! More is on the way 🚀🚀🚀
Nicely explained!
You did a very solid job explaining everything. That's awesome man, ty for the vid
Thank you for being apart of it! Glad to have you here 😊
Heck yeah~ this made me curious what other kind of exploits there are, so I start to look at the standard linux kernel 6.6 and instantly I noped tf out of there
Not because I wouldn't eventually be able to get a grasp on the madness that's called code (tho it is organized), but because I already have too many coding projects lol
@@DanielBoctor
I'll fix the title for you "This GIF can't Backdoor ANY Android Phone"
I was instantly taken back to how I exploited Pokemon games back in the day.
I love the technical details usually you.dont get to see such detailed explanations for needs like us . Thkx amazing content
Glad you liked it!
Damn as a Cybersecurity reasercher this video was dope!
I went to college in 1990, and they were still teaching C for first year programming. Java was still new to the game, so you had a choice of Pascal or C. I remember the professor told us that after the 3rd week we can expect half the class to drop. The 3rd week is when he introduced pointers. He wasn't wrong. This is a great video that helps illustrate the concept behind pointers. I think part of the problem was the professor, but I wasn't going to say anything. I taught myself assembler when I was 14, so pointers to me were already natural and I had no issue understand them. Half the class struggled immensely and wound up dropping before the first mid-term.
Very informative.
Thanks!!
Well at the last second you took away its powers by explaining that the user would have needed to basically download a virus first. But I could see this working for a malicious company that creates popular apps with the goal being to use the app as the “virus” agent to get that local address saved and get the user’s phone number through a sign up or something. And with the local address and the phone number, sending them a gif on WhatsApp (if they have WhatsApp) would work. Seems like it would work best if you had a huge database of potential victims. Thx for explaining this stuff bro.
edit: I was wrong about how this works
It's actually a lot easier than that. I didn't mean to take away from the vulnerability too much. As mentioned in the video, the required memory addresses are constant values, and ONLY change during system reboots. Any application has access to these addresses.
An app would not even need to harvest the targets phone number, NOR send the user a GIF in the first place. It could merely craft the GIF itself, and save it to the phones file system locally. That's it. The next time the victim opens their media gallery in WhatsApp, the GIF will be rendered directly, without the need to even receive a message.
Thanks for watching, and I'm glad you enjoyed!
that's crazy bro lol sorry I misunderstood@@DanielBoctor
@@DanielBoctor But should the person run an old version of whatsapp or not to do this?
The vulnerability is actually 3-fold:
1. Android OS returning the same memory address twice after a double free
2. The android-gif-drawable library causing a double free in the first place
3. WhatsApp double parsing GIFs, enabling any real harm to be caused from the double free
You would need all three of these conditions to be present for this to be exploitable. Just using an old version of WhatsApp would not be enough, as both WhatsApp and the GIF library were both patched.
This wasn’t mentioned in the video, but the presented vulnerability is merely an example of what can be done. OP mentions that there are potentially more complicated methods to leak relative addresses allowing us to do ROP to mitigate read-only pages. Without getting too far into it, the deterministic way android handles double frees enables us to, within the same gif, leak a valid instruction pointer and then use different techniques with that executable memory location to execute our shellcode
damn thats sick, love your content. its really hard to find videos this detailed.♥
THANK YOU ♥
good for me that i understand C lingo. this is so cool to know.
Holy crap. This is very elaborate!
Really good video!
Thanks! Glad you liked it 😊. Keep on spreading that positivity
The thing about double free is that it allows you to edit a free chunk, in glibc (I am not sure if its in android kernel) free chunks are linked via fd & bk pointers which is pretty much a double-linked list (this also depends on the size of the free chunk which is categorized to which bin list) , modifying these pointer in a free chunk can allowed you to malloc in arbitrary address since malloc related operation retrieve chunks in the free list if exist rather than creating a new one
Interesting, but a six-year-old vulnerability is not "zero-day."
can u tell me the best way to install malware in someone mobile without click
I think a malicious actor must've hacked your voice box and spammed question marks all throughout your sentences.
Underrated comment 😂
😆 in 2020 ppl were saying they'd leave the USA if Trump was elected. I'm ready to leave to get away from the valley girl accent that's so popular with the hipstERS & liberal medIAAA.
😣🔫
awesome video with clear explanations thank you
This GIF COULD.. thank you very much...
I waited all the way to the end to find out I couldn't do this to myself to give me root.
great and clear explanation
Thanks! Means a lot
ROP is certainly a fun way to program.
sheesh, thats a lot of information^^
Wow that is brilliant!
I know lol 🤯
Wow, awesome 🙂
Would the reverse shell and commands sent to it have the same permissions as Whatsapp in this case?
It would. All commands would be executed within WhatsApp context, allowing one to steal files from the WhatsApp sandbox, including the message database, as Awakened mentioned in his original report. I should have explained this in more detail within the video.
Wow i didnt understand anything but it was very informative , thank you
Amazing explanation
Thank you
Does comp sci teach that the word asterisk is asterix or something. Beautiful video. Smart lad, amazing explanation, clearly understand hardware and software and programming languages super well. And then asterix. You get my sub, but my question as well.
LOL, didn't really think of the pronunciation while I was filming. Thanks for the feedback!
What if I want to use Obelix instead?
amazing, it's sooo old school tech movie getting control of a device with a gif... I can't beleive it hahaha
great video ! thanks for it !
Thanks!! Glad you have you here!
LEMMiNO background music is 🔥
I couldn't agree with you more. LEMMiNO is the GOAT.
Similar to how originals of edited jpeg images were recovered in an exploit that manipulated leftover space inside a buffer to reconstruct the bits of the original. For the most part you would recover only the later bits corresponding to pixels of the original because of how the file would be saved coupled with the top-down rendering of your device. The jpeg once saved after editing/cropping/redactions could therefore still have the information, but this gif exploit would basically take that one step further in regards to abusing the rendering method, by re-filling up the empty space with (insert any smol footprint exploit payload)
And the beauty of gif, is that can be looped. Which can also be a bigger issue if the gif allows itself to talk directly into terminal with certain commands. Persistence can be achieved and hidden (in perpetuity) if done correctly.
But doesn't this exploit require the page where the gif is stored to have code execution access? and it most likely will only have read-write
Did you absolutely have to select the valley girl voice for the narration?
Rooting Android phones should use this method, because each phone being nearly impossible to unlock and install a custom ROM I would rather use an exploit like this to root the device, and removing vendor locks placed on the device so you have complete control and access to everything the device has.
I've also thinking the same
We got to love the clickbait...
Honesty theses people who found this vulnerability first are very consistent
Wich version of android is vulnerable of this RCE?
We should really start thinking about virtualizing apps on every platform...
More virtualization needs more memory
@@25_26 you'd think we have plenty... I wouldn't mind spending extra $50 knowing my phone is secure
Assembly, memory allocation, graphics programming, for an attack? Are you kidding me? Who is going to go for all this trouble?
It has to be some government or a large interprise.
Very cool
not as cool as you
I couldn't understand this even if this was drawn and explained to me 1 million times in a row.
Reminds me of those funny adult ads in gif format..
I don't know why I clapped when I finished watching the video. What an amazing explanation. Im still learning but this was a lot of fun!
What a wholesome comment LOL. Means a lot
Classic, not the first time realloc breaks something
yup, gotta love C
Commenting for the algorithm. Love the low level explanation of these vulnerabilities.
My first 'commenting for the algorithm' comment LOOOOOOOL. Thank you for the support!! Means a lot 😊
ah its crazy internation dude 🎉
The people that find these are on another level 🧠
I know, it really is incredible 🤯
Thank God! I never used WhatsApp!
I remember when a picture would backdoor any android phone..ahh how the times have changed
subscribed
Can this exploit work on other messaging application that are not patched yet ? and where i found that gif exploit.
Maybe I'm stupid, why does it let you define a zero width/height? What possible use case would that serve?
"this gif can backdoor any android phone!*"
* as long as the phone is this specific model made between these 2 specific dates with this specific version of android and needs to have this specific version of a specific app installed and needs a cosmic ray to flip a specific bit in a specific part of memory at this specific time
or at least that's how I see most "brand new 0 day 0 click (some other fancy words) exploits that will kill your dog"
Sometimes, but first of all if you spread it to thousands of devices you're going to hit a lot, and second of all this one just needs your firmware + whatsapp version to be older than newest.
But I have to admit this shell is pretty much useless without privilege escalation
Your intonation has "burger king foot-lettuce" vibes 💀
yeah ik but I think i finally fixed it in my most recent video
lovely
Good video, strange voice.
You said function pointer and I literally went WHAT IN THE LIVING SECURITY HOLE IS THIS SHIT
Needed to say no more, I instantly understood the gravity of this exploit
yep, that will do it LOL
It’s pronounced “Jif” like the peanut butter according to Steve Wilhite, creator of GIF.
this is kind of bad ass
That's why I use Signal and Matrix, and I have any auto download media disabled on my phone.
Nice video i am new to your channel and i am very interested in this types of topics, but i am not pro in doing these things practically can we get practical video to craft melecius. Gif abd get reverse shell
amazing vide0
Nice
I wonder why they changed that instead of leaving it as it was in upstream
I'm FREE! FREE! Oh crap, its a double free statement.
It seems like rather than backdooring ANY Android phone it can only backdoor phones with both WhatsApp AND a second, specifically malicious app already installed?
Can you disable automatic GIF looping in Whatsapp as a workaround?
I don't use FB or Whatsapp
I'm hoping this is an AI voice.
💀
Most of his sentences sound like questions with his intonation. What accent is that?
@@daveyhodge Sounds like SoCal geek to me. Maybe a little homeschooling thrown in.
Is there a version of this gif that just roots your phone without the need of reinstalling the entire OS and losing your data?
I always wonder why nobody uses exploits like this to just make easy no-fuss rooting tool.
That'd be great
Even temp root would be better than nothing. I would settle for google cloud app data backups that work.
It's pretty darn easy to root, people just want to use the most latest devices, which some are currently not root able. Like us verisons of Samsung phones but European verisons are able to root because of unlocked bootloader. The one plus series are the most easiest to root even the brand new one.
@@Slowburnripz I think a distinction should be made between actual rooting, which lets you access all your own info / hidden app data / etc, and bootloader unlocking, which explicitly deletes it.
@@Slowburnripz Not if you want to keep your files on the device though. Also "easy" is relative, since all known methods require you to install some weird software and connect your phone to your computer.
Ideally EU or some other entity would enforce a single click root for all the devices. Why is there no switch in the Android's menu to easily root phone, similar to "developer settings" one is beyond me.
but it will not give you root access, only sandboxed access to the application that has the rce, which makes it pretty much useless.
there needs to be another step before an attacker gets access to your phone, it needs a root shell.
so to get this vulnerability which allows you to gain access to the phone, first you have to gain access to the phone to get the function addresses, got it
Fadcinating to hear music made by one TH-camr (lemmino's cicaida) in another TH-camr's video
Yep, he posts all of his music publicly and lets other creators use them. Gotta love LEMMiNO. It's credited in my description too - I used 2 of his songs in this video.
Where can i get the tool to try this out myself
bruh this is like 2022 gif incident on discord ... reboot
Am I missing something? Reallocing with size 0 should never return the same pointer? (as mentioned in 5:15)
I see, sorry for the confusion! To clarify, under regular circumstances in a regular environment, this is absolutely correct, as mentioned @ 4:35.
It is Android itself that caused the predetermined realloc behaviour, as mentioned @ 5:00 and 5:30.
The vulnerability is actually 3-fold:
1. Android OS returning the same memory address twice after a double free
2. The android-gif-drawable library causing a double free in the first place
3. WhatsApp double parsing GIFs, enabling any real harm to be caused from the double free
You would need all three of these conditions to be present for this to be exploitable. The Android behaviour you are pointing out is actually contributing to the exploit (which should NOT be happening).
@@DanielBoctor Sorry, it might be that my question was unclear. As per standard realloc should always return a pointer, that can be passed to free/realloced with size 0.
That means that, as long as you use the pointer returned by realloc (and don't reuse the pointer you passed to realloc) you could call realloc infinitely often.
Even with size 0.
@@DanielBoctor ooh, I looked at the commit that it was patched. The problem is, that realloc returning NULL is valid behaviour for size 0 realloc. This however gets interpreted as an error bc of low memory. In that case, the pointer doesn't get updated and will be passed again to realloc the next frame (but it was already freed).
How is a Human able to find such a specific interaction of multiple exploit? Do they really search for them or do they find them by chance?
Basically by guessing from experience what can happen and then trying everything.
And of course you can also analyse the actual code.
more reasons to use rust
Call me dumb or ignorant but why is it even allowed to have exactly one dimension be 0? Wouldn't you need two integers of at least 1 to even display anything?
As I understand it this bug would be a non-issue if there's only one possible "aspect ratio" (if you can even call it that for 1-dimension) involving 0.
The fix could literally be (pseudo-code)
if(height0);
assuming we derive a binary (single digit) boolean from the arithmetic operation denoting if the other dimension exists/>0 with either 1 or 0, we can just multiply it (dunno if it's actually faster with the if, otherwise replicate the last line switching height & width).
crazy how the title is a lie.