Document Title:
===============
Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1377


Release Date:
=============
2014-12-25


Vulnerability Laboratory ID (VL-ID):
====================================
1377


Common Vulnerability Scoring System:
====================================
3.3


Product & Service Introduction:
===============================
Wickr (pronounced `wicker`) is a proprietary instant messenger for iPhone and Android. Wickr allows users to exchange end-to-end encrypted and 
self-destructing messages, including photos and file attachments. The `self-destruct` part of the software is designed to use a `Secure File Shredder` 
which the company says `forensically erases unwanted files you deleted from your device`. However the company uses a proprietary algorithm to manage 
the data, a practice which is prone to error according to many security experts.

On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find vulnerabilities that significantly impact users. In addition, 
a recipient can in general use other software and techniques like screen-capture capabilities or a separate camera to make permanent copies of the content.

(Copy of the Homepage: https://wickr.com/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research team discovered a denial of service web vulnerability in the offical Wickr Desktop v2.2.1 windows software.


Vulnerability Disclosure Timeline:
==================================
2014-12-25:  Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Wickr Inc.
Product: Wickr - Desktop Software (Windows) 2.2.1


Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A local denial of service vulnerability has been discovered in the official Wickr TSM v2.2.1 (MSI) windows software.
The issue allows local attackers to crash or shutdown the software client by usage of special crafted symbole payloads.

The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the qsqlcipher_wickr.dll when processing to include 
special crafted symbole strings 
as password or name. The issue occurs after the input of the payload to the `change name friend contacts`-, `the wickr password auth`- 
and the `friends > add friends` input fields. Attackers are able to change the name value of the own profile (payload) to crash the 
wickr client. Local attackers can include the payload to the input fields to crash/shutdown the application with unhandled exception.

The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. 
Exploitation of the DoS vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of 
the vulnerability results in an application crash or service shutdown.


Vulnerable Module(s):
        [+] friend contacts
        [+] wickr password auth
        [+] friends

Vulnerbale Input(s):
        [+] add friends (name)
        [+] wickr password auth
        [+] change friend (update name)

Vulnerable Parameter(s):
        [+] name (value input)
        [+] password (vale input)


Proof of Concept (PoC):
=======================
The denial of service web vulnerability can be exploited by remote attackers and local attackers with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4) 
2. Install the wickr windows version of the software to your windows 8 box
3. Create an new account and include the payload to the password input field
Note: After the payload has been processed to the auth, the software crashs. You should attach a debugger ago.
4. Successful reproduce of the first issue!
5. We register a new account with regular values
6. Open the friends > add friends section and include the payload to the search input value
Note: After the payload has been processed to add the friend, the software crashs. You should attach a debugger ago.
7. Successful reproduce of the second issue!
8. We open the software again and login. Switch to the existing friends contacts and edit the profile
9. Include in the name values the payload and save the settings
Note: After the payload has been processed to change to the name, the software crashs. You should attach a debugger ago.
4. Successful reproduce of the third issue!


Payload: Denial of Service
็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็ 


--- Error Report Logs ---
EventType=APPCRASH
EventTime=130628671359850105
ReportType=2
Consent=1
UploadTime=130628671360390638
ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7
IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7
WOW64=1
NsAppName=Wickr.exe
Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8
Response.BucketTable=1
Response.LegacyBucketId=73726044048
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Wickr.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=0.0.0.0
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=02849d78
Sig[3].Name=Fehlermodulname
Sig[3].Value=CFLite.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=53f6c178
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00027966
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.3.9600.2.0.0.256.48
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=5861
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=84a0
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6
UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
UI[3]=Wickr.exe funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
... ...  ... ...
LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\sqldrivers\qsqlcipher_wickr.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Wickr.exe
AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE



Security Risk:
==============
The security risk of the denial of service web vulnerability in the wickr windows client software is estimated as medium. (CVSS 3.3)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php             - evolution-sec.com/contact
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

        Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt