[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-12-25 11:40:30
Message-ID: 549BF7AE.1020108 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1377
Video:
http://www.vulnerability-lab.com/get_content.php?id=1388
Release Date:
=============
2014-12-25
Vulnerability Laboratory ID (VL-ID):
====================================
1377
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
Wickr (pronounced `wicker`) is a proprietary instant messenger for iPhone and Android. Wickr \
allows users to exchange end-to-end encrypted and self-destructing messages, including photos \
and file attachments. The `self-destruct` part of the software is designed to use a `Secure \
File Shredder` which the company says `forensically erases unwanted files you deleted from \
your device`. However the company uses a proprietary algorithm to manage the data, a practice \
which is prone to error according to many security experts.
On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find \
vulnerabilities that significantly impact users. In addition, a recipient can in general use \
other software and techniques like screen-capture capabilities or a separate camera to make \
permanent copies of the content.
(Copy of the Homepage: https://wickr.com/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a denial of service web vulnerability in \
the offical Wickr Desktop v2.2.1 windows software.
Vulnerability Disclosure Timeline:
==================================
2014-12-25: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Wickr Inc.
Product: Wickr - Desktop Software (Windows) 2.2.1
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A local denial of service vulnerability has been discovered in the official Wickr TSM v2.2.1 \
(MSI) windows software. The issue allows local attackers to crash or shutdown the software \
client by usage of special crafted symbole payloads.
The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the \
qsqlcipher_wickr.dll when processing to include special crafted symbole strings
as password or name. The issue occurs after the input of the payload to the `change name friend \
contacts`-, `the wickr password auth`- and the `friends > add friends` input fields. Attackers \
are able to change the name value of the own profile (payload) to crash the wickr client. \
Local attackers can include the payload to the input fields to crash/shutdown the application \
with unhandled exception.
The security risk of the denial of service vulnerability is estimated as medium with a cvss \
(common vulnerability scoring system) count of 3.3. Exploitation of the DoS vulnerability \
requires a low privileged application user account and low user interaction. Successful \
exploitation of the vulnerability results in an application crash or service shutdown.
Vulnerable Module(s):
[+] friend contacts
[+] wickr password auth
[+] friends
Vulnerbale Input(s):
[+] add friends (name)
[+] wickr password auth
[+] change friend (update name)
Vulnerable Parameter(s):
[+] name (value input)
[+] password (vale input)
Proof of Concept (PoC):
=======================
The denial of service web vulnerability can be exploited by remote attackers and local \
attackers with low user interaction. For security demonstration or to reproduce the \
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4)
2. Install the wickr windows version of the software to your windows 8 box
3. Create an new account and include the payload to the password input field
Note: After the payload has been processed to the auth, the software crashs. You should attach \
a debugger ago. 4. Successful reproduce of the first issue!
5. We register a new account with regular values
6. Open the friends > add friends section and include the payload to the search input value
Note: After the payload has been processed to add the friend, the software crashs. You should \
attach a debugger ago. 7. Successful reproduce of the second issue!
8. We open the software again and login. Switch to the existing friends contacts and edit the \
profile 9. Include in the name values the payload and save the settings
Note: After the payload has been processed to change to the name, the software crashs. You \
should attach a debugger ago. 4. Successful reproduce of the third issue!
Payload: Denial of Service
็ ¬็ส็็็็็ \
-็็็็็็็็็็็็็็็็็็็็ส็ \
¬็็็็็็็็ \
¬็็็็็็็็็็็็็็็็ส็็็็ \
¬็็็็็็็็็-็็็็็็็ \
็็็็็ส็็็็็็็ \
¬็็็็็็็็็็ \
¬็็็็็็็็ส็็็็็็็็็็ \
¬็็็็็็็็็็็ \
¬็็็็ส็็็็็็็็็็็็็ \
¬็็็็ ็็็็็็็็ \
¬ส็็็็็็็็็็็็$ \
55;็็็-็็็็็็็็็ส& \
#3655;็็็็็็็็็็็็็็็็็็ \
¬็็็็็็ส็็็็็็็ \
¬ส็็็็็็็็็็็็$ \
55;็็็็็็็็็็็็ส็็็ \
¬ ¬็็็็็็็็็็็็็&# \
3655;็็็็็็็็ส็็็็็็ \
¬็
--- Error Report Logs ---
EventType=APPCRASH
EventTime=130628671359850105
ReportType=2
Consent=1
UploadTime=130628671360390638
ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7
IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7
WOW64=1
NsAppName=Wickr.exe
Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8
Response.BucketTable=1
Response.LegacyBucketId=73726044048
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Wickr.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=0.0.0.0
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=02849d78
Sig[3].Name=Fehlermodulname
Sig[3].Value=CFLite.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=53f6c178
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00027966
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.3.9600.2.0.0.256.48
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=5861
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=84a0
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6
UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
UI[3]=Wickr.exe funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
... ... ... ...
LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret \
Messenger\sqldrivers\qsqlcipher_wickr.dll State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Wickr.exe
AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE
Security Risk:
==============
The security risk of the denial of service web vulnerability in the wickr windows client \
software is estimated as medium. (CVSS 3.3)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic