WhatsApp Messenger 2.11.431/2.11.432 on Android Message denial of service
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
4.8 | $0-$5k | 0.00 |
A vulnerability, which was classified as problematic, was found in WhatsApp Messenger 2.11.431/2.11.432 on Android (Messaging Software). Affected is some unknown processing of the component Message Handler. The manipulation with an unknown input leads to a denial of service vulnerability. CWE is classifying the issue as CWE-404. The product does not release or incorrectly releases a resource before it is made available for re-use. This is going to have an impact on availability.
The weakness was published 12/01/2014 by Indrajeet Bhuyan as Crash Your Friends' WhatsApp Remotely with Just a Message as not defined news (Website). The advisory is shared for download at thehackernews.com. The public release happened without coordination with the vendor. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are unknown but a public exploit is available. The advisory points out:
In a video demonstration, they showed that how a 2000 words (2kb in size) message in special character set can crash Whatsapp messenger app. Previous it was discovered that sending a huge message ( greater than 7mb in size) on Whatsapp could crash victim device and app immediately, but using this new exploit attacker only need to send a very small size (approx 2kb) message to the victim.
A public exploit has been developed in Binary Data and been published immediately after the advisory. The exploit is shared for download at pastebin.com. It is declared as proof-of-concept.
The news contains the following remark:
The worried impact of the vulnerability is that the user who received the specially crafted message will have to delete his/her whole conversation and start a fresh chat, because opening the message keeps on crashing WhatsApp unless the chat is deleted completely.
The vulnerability is also documented in the vulnerability database at X-Force (99282). Further details are available at spiegel.de.
Not Affected
- Apple iOS
- Microsoft Windows Phone
- RIM BlackBerry
Product
Type
Name
Version
License
CPE 2.3
CPE 2.2
Video
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.3VulDB Meta Temp Score: 4.8
VulDB Base Score: 5.3
VulDB Temp Score: 4.8
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Denial of serviceCWE: CWE-404
ATT&CK: T1499
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Programming Language: 🔍
Download: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Exploit Delay Time: 🔍
Timeline
12/01/2014 🔍12/01/2014 🔍
12/01/2014 🔍
12/04/2014 🔍
07/08/2017 🔍
Sources
Advisory: Crash Your Friends' WhatsApp Remotely with Just a MessageResearcher: Indrajeet Bhuyan
Status: Not defined
X-Force: 99282 - WhatsApp unspecified denial of service, Medium Risk
SecurityFocus: 71410 - WhatsApp Denial of Service Vulnerability
scip Labs: https://www.scip.ch/en/?labs.20130704
Misc.: 🔍
Entry
Created: 12/04/2014 15:56Updated: 07/08/2017 14:17
Changes: 12/04/2014 15:56 (63), 07/08/2017 14:17 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.