Android-Gif-Drawable Double-Free

2019.11.28

Marcin Kozlowski (PL)

Risk: High

Local: No

Remote: Yes

CVE: CVE-2019-11932

CWE: CWE-415

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Hi list,

CVE-2019-11932 is a vulnerability in the android-gif-drawable library. Yet
the CVE text doesn't mention "android-gif-drawable". It only mentions
WhatsApp. There could be over 28,400 free Android apps that use this
library.

And it seems that quite a few (24) of those 28k+ apps other than WhatsApp
that use android-gif-drawable have install bases just as large as the
WhatsApp install base (1 billion+, per Google Play).

In example, Viber Version from Sep 2019 (11.6.0.15) is vulnerable to
CVE-2019-11932 (double free in libpl_droidsonroids_gif) . Latest 11.9.1 not
anymore. Stacktrace from vuln version:
https://gist.github.com/marcinguy/c4ed223b27f0bd354b43ff23de875ffe

Great work was made to compile list of apps using the framework:

https://gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263

Patch it up folks

Nice idea would be to create shodan or Wappalyzer search engine for Android
Apps frameworks. Count me in, if you want to build something like this.


Thanks,
Marcin

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Android-Gif-Drawable Double-Free

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.