CVE-2022–36934: An integer overflow in WhatsApp leading to remote code execution in an established video call
Written by: anshul vyas
Overview
The number of digits in an established video call could be increased by an integer overflow that can result in remote code execution (RCE). It can be higher or lower than the minimum representable value depending on the number of digits. The attacker could overwrite other parts of the memory of the system by writing a larger value into it and misuse this feature to execute code remotely. An attacker can exploit this RCE bug by manipulating the WhatsApp component Video Call Handler so that a heap-based buffer overflow can be triggered and WhatsApp Messenger can be taken over.
Integer Overflow
A certain number of bits is typically allocated to integer values in most programming languages. Using 32-bit integer data types, for instance, space can hold unsigned integers ranging from 0 to 4,294,967,295 or signed integers ranging from 2,147,483,648 to 2,147,483,647. Usually, the most significant (first) bit indicates whether an integer is positive or negative in signed integers. It depends completely on the language and compiler what happens when you try to store a value greater than the maximum value for the integer type if you perform the calculation 4,294,967,295 + 1.
However, many languages and compilers don’t raise any error at all, and instead perform modulo operations, wraparounds, and truncations, or they behave in other undefined ways. The above example usually results in 0. Signed integers can have even more unexpected results. The result usually becomes negative when the signed integer exceeds its maximum value. As an example, 2,147,483,647 +1 is typically 2,147,483,648. A negative number is usually returned when the minimum value (underflow) is exceeded. As an example, −2,147,483,648 − 1 is usually 2,147,483,647.
The typecasting process can also lead to integer overflows, as opposed to typical operations like addition, subtraction, or multiplication. An integer, for example, could be treated as an unsigned integer one by one operation and a signed integer by another operation, leading to an incorrect interpretation of the value. It is possible to overflow a buffer if there is an integer overflow when you calculate the buffer length.
Buffer Overflow
As a result of reaching its address boundary within a software application, a buffer overflow occurs when an area of memory within it writes to an adjacent memory region. The stack and heap are two common targets for overflows in software exploit code. A heap is an area of memory that the program can request blocks of memory to use for its purposes.
In buffer overflows, information is placed into memory areas that are allocated. They are different types of overflows. A developer must carve out some space inside your computer’s memory before they can write anything into memory. During the execution of an application, they are going to need to store a great deal of variables and information there.
In order to check what you’re putting into that buffer, however, developers need to be extremely careful. If you set a buffer to a specific size, you don’t want someone else to store something larger than that buffer, otherwise you’ll have a buffer overflow. Whenever they are used in a specific manner, buffer overflows can be extremely powerful for the bad guys.
The problem is that finding a specific situation that allows you to overflow a buffer in a way that always provides you with a certain outcome and does not cause the computer to crash is extremely difficult. Instead, ask the computer for special privileges like root access or administrator access to the operating system. As a result, if you can repeatedly execute a buffer overflow with that application or operating system that is susceptible to the overflow, the bad guys can now access all systems that use it. We’re trying to avoid this by patching or modifying applications that might be vulnerable to buffer overflows. This shows a simplified example of what a buffer overflow might entail.
However, it does illustrate how you manipulated information by exploiting a buffer overflow. We have two variables A and B in memory. There has been no allocation of any bytes for variable A. It has a number of bytes available, but there has been no addition to that particular area in memory. Variable B does, however, contain data. As far as the bad guys are concerned, changing variable B will allow them to gain additional access to your computer. It has 1979 in decimal, which is zero seven BB in hexadecimal.
In order to change this byte, which is hexadecimal zero seven, they intend to do something else. As a result, they will add information into variable A that will overflow into variable B. Our plan is to add excessive to the variable A. As you can see, this overflows into the next byte. It’s e- x- c- e- s- s- i- v- e, which would normally be a byte at the end. Now that 65 is in front of B, the hexadecimal value has changed. Using decimal units, six five zero zero equals 25,856, a very different number than originally existed. All we did was change what was stored in A, and somehow we managed to modify what was stored in B, and that isn’t supposed to happen. At this point, your buffer overflow occurred, and the bad guy could be manipulating variables to do whatever they wanted.
Conclusion
A bug in an older version of OpenSSH caused a buffer overflow as a result of an integer overflow
nresp = packet_get_int();
if (nresp > 0)
{
response = xmalloc(nresp*sizeof(char*));
for (i = 0; i < nresp; i++)
response[i] = packet_get_string(NULL);
}In the case in which nresp is 1073741824 and sizeof(char*) is 4 (which is typical), then the expression nresp*sizeof(char*) results in an overflow. A 0 byte buffer is allocated by xmalloc(). An attacker may be able to execute arbitrary code by exploiting the subsequent loop, which causes a heap buffer overflow.
