Facebook Messenger Remote Denial of Service Vulnerability Report by Social Engineering Neo.


Affected Platforms: -
Android ≤9
IOS ≤11
Messenger
Messenger Lite


Tested On: -
Android 6 & 7
IOS 11
Messenger (build 228.1.0.10.116)
Messenger Lite (build 65.0.1.18.236)


Class: -
Denial of Service.


Summary: -
All versions of Messenger Lite and Multiple Versions of Messenger are susceptible to a Remote Denial of Service Vulnerability.


Short Description: -
A user can remotely crash a user’s Messenger application by sending a message containing a single character.


Long Description: -
'ATTACKER' sends a single soft hyphen to 'VICTIM'
Upon opening the message, the Messenger application on 'VICTIM' device crashes when loading the single character.


Proof of Concept: -
####
Tested on Latest Version of Messenger Lite on Android 6

'ATTACKER' send single soft hyphen to 'VICTIM'
'VICTIM' open message sent by 'ATTACKER'
####

VIDEO: -   https://youtu.be/En1npDpgv_o


Expected Result: -
It shouldn't be possible to remotely crash the application on a remote user’s device.


Observed Result: -
Application remotely crashes upon loading message.


Our Recommendation:
Change the way soft hyphens are loaded in the application.


CVSS v3 Vector: -
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:F/RL:O/RC:R/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:L/MA:H

CVSS Base Score: - 8.2
Impact Subscore: - 4.2
Exploitability Subscore: - 3.9
CVSS Temporal Score: - 7.3
CVSS Environmental Score: - 7.3
Modified Impact Subscore: - 4.2
Overall CVSS Score: - 7.3


CVSS v2 Vector: -
AV:N/AC:L/Au:N/C:N/I:P/A:C/E:F/RL:OF/RC:UR/CDP:LM/TD:M/CR:ND/IR:ND/AR:ND

CVSS Base Score: - 8.5
Impact Subscore: - 7.8
Exploitability Subscore: - 10.0
CVSS Temporal Score: - 6.7
CVSS Environmental Score: - 5.7
Modified Impact Subscore: - 7.8
Overall CVSS Score: - 5.7


TIMELINE: - Discovery      2017
        : - Initial Report 23rd August 2019
        : - Case Opened    23rd August 2019
        : - Added Detail   24th August 2019    *Public Disclosure Date: - Sep 18th 2019 UTC -08:00 (25 days from initial report)*
        : - Added Detail   27th August 2019
        : - Response       27th August 2019
        : - Added Detail   27th August 2019
        : - Response       29th August 2019
        : - Added Detail   29th August 2019
        : - Response       1st September 2019
        : - Added Detail   1st September 2019
        : - Case Closed    5th September 2019  *PATCH RELEASED PUBLICLY*
        : - Added Detail   5th September 2019  *Public Disclosure Date: - Jul 6th 2019 UTC -08:00 (24 hours from patch)*

        : - We thank the Facebook Security team for their quick patch.