CVE-2022–27492: An integer underflow in WhatsApp causing remote code execution when receiving a crafted video file

Written by: anshul vyas

Photo by Eyestetix Studio on Unsplash

Overview

A crafted video file could have triggered a remote code execution due to an integer underflow in WhatsApp. An unspecified code block of the component Video File Handler is affected by this RCE bug. This vulnerability is caused by manipulating unknown inputs that can corrupt memory. A malicious attacker would need to convince a user to play a crafted video file dropped into their WhatsApp messenger to exploit this vulnerability.

Integer Underflow

A negative value is assigned to a number that should always be positive when it is assigned, results in an integer underflow error when performing an arithmetic integer operation. You get a 2’s complement number of -129, which is smaller than the smallest possible 2’s complement number (-128) if you add the two 8-bit 2’s complement integers with values -120 and -9. A large integer has been underflown in this case. This is dangerous, since the result will have a different meaning when interpreted in the target integer size.

If interpreted as an 8-bit 2’s complement number, -129 would be 127. An integer underflow occurs if a negative number (meaning its most significant bit was set) is added to a non-negative number (meaning their most significant bit is not set). Integer overflows cannot occur when adding two numbers with a different sign. It is possible to check whether an integer overflow has occurred in a similar manner.

Array index errors with negative values are a perfect example of an integer underflow error. Often crashes and undefined behavior will result from this type of weakness. There is also a high probability of infinite loops when loop index variables overflow.

Result of Integer Underflow Occurring

Overflows, underflows, or wraparounds of integers can result in the following:

1. If an integer overflow or underflow occurs in the program, mathematical computations will produce inaccurate results.
2. Using a variable to control a loop might result in an infinite loop if the variable is never reached as a result of integer overflow, leading to an infinite loop if the condition is never met.
3. It is possible for a system crash to result from a negative value caused by integer overflow when a variable is used to determine the amount of memory to allocate to a buffer.

Conclusion

By allocating the correct amount of memory to the variable used to store integer values, you can avoid integer overflows and underflows. Integer overflow can be detected by special data structures in some programming languages. Developers should take all necessary steps to prevent such runtime errors.

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!