Signal patched a code injection vulnerability that by some means of exploitation enabled attackers to achieve remote code execution.
The security team for the encrypted communications app, a program which has been available for both Android and iOS since November 2015, published a fix for the bug just hours after first being contacted by a group of security researchers.
Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo with assistance from Javier Lorenzo Carlos Smaldone accidentally discovered the vulnerability on 10 May. They were passing XSS payloads back and forth when one of the packages triggered in Signal’s desktop version. Further investigation confirmed that the weakness worked on different platforms including Linux, Windows and macOs.
Iván Ariel Barrera Oro shared additional details about the vulnerability in a blog post:
We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny). They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. Inside iframes, everything was possible, even loading code from an SMB share!. This enables an atacker to execute remote code without caring about CSP. Juliano worked on this with Alfredo, along with trying to get a manageable segmentation fault.
— Ivan EQU HacKan (@HacKanCuBa) May 11, 2018
Shortly after publishing the above Twitter notification on 11 May, the security researchers reached out to Signal. The encrypted messaging app’s security folks confirmed they were working on a patch two hours later. It took just another hour more for Signal’s security team to release a patch.
Iván Ariel Barrera Oro was surprised at how quickly Signal released the fix, especially given its size. He therefore decided to have a look (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by David Bisson. Read the original post at: https://www.tripwire.com/state-of-security/latest-security-news/signal-patches-code-injection-bug-that-enabled-remote-code-execution/