Signal Client v6.2 and earlier versions vulnerable to CVE-2023–24068 & CVE-2023–24069
After I read the PoC from John Jackson, I had to try. I ran into my computer and checked the version of the Signal Client that I had installed. The version is 6.2.0, which is allegedly vulnerable. So I started reading about how I can exploit the CVE-2023–24068. And this brings us to CVE-2023–24069:
Signal Desktop before 6.2.0 on Windows, Linux, and macOS allow an attacker to obtain potentially sensitive attachments sent in messages from the attachments.noindex directory. The cached attachments are not effectively cleared. In some cases, even after a self-initiated file deletion, an attacker can still recover the file if it was previously replied to in a conversation.
So the first step here is to try to figure out what is the possibility of finding the attachments.noindex directory, which was fairly simple. The path in Windows is :
C:\Users\<YourUsername>\AppData\Roaming\Signal\attachments.noindex
So let’s try to see if we can access unencrypted data in the folder. I downloaded a test image (what is better than the old TV color chart). And I proceeded to send it into a chat:
And immediately after, I looked at where the image was being stored in the desktop client ( just go to the attachments.noindex directory and sort by date):
On the last modified file I modified the file extension and set as png:
After changing the file extension, I was able to recover the image:
So we can determine that the files are being stored unencrypted in the folder. Actually, I was able to recover files that date from mid-last year. I tried deleting the file and the image in the chat and I was still able to see it in the folder.
After validating that we can exploit CVE-2023–24069, we will proceed to attempt the exploit of CVE-2023–24068, where the descriptions reads like:
Signal Desktop before 6.2.0 on Windows, Linux, and macOS allows an attacker to modify conversation attachments within the attachments.noindex directory.
So it seems that the client fails to validate modifications of existing cached files, resulting in an attacker’s ability to insert malicious code into pre-existing attachments or replace them entirely. A threat actor can forward the existing branch in the corresponding conversation to external groups, and the name and size of the file will not change, allowing the malware to masquerade as another file.
So I will proceed to send, this time a different image, a blue square for simplicity. So the first step was to create the square and send it in the conversation:
I proceeded to the folder where the images are stored in an unencrypted fashion, and then I modified the image with another one that actually was a blue square, and I proceeded to forward the message to another chat…
Can you guess what was sent?
And as simple as this is how we do it!
We can simply replace any kind of image for an equivalent with some code embedded there, or in the case of other file types like .pdf or word document, some scripts and macros can be used, which makes them much more dangerous!
So be on the lookout for updates for the Signal desktop client!
Sources:
https://nvd.nist.gov/vuln/detail/CVE-2023-24069
https://nvd.nist.gov/vuln/detail/CVE-2023-24068
https://johnjhacking.com/blog/cve-2023-24068-cve-2023-24069/
