Document Title: =============== Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1377 Release Date: ============= 2014-12-25 Vulnerability Laboratory ID (VL-ID): ==================================== 1377 Common Vulnerability Scoring System: ==================================== 3.3 Product & Service Introduction: =============================== Wickr (pronounced `wicker`) is a proprietary instant messenger for iPhone and Android. Wickr allows users to exchange end-to-end encrypted and self-destructing messages, including photos and file attachments. The `self-destruct` part of the software is designed to use a `Secure File Shredder` which the company says `forensically erases unwanted files you deleted from your device`. However the company uses a proprietary algorithm to manage the data, a practice which is prone to error according to many security experts. On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find vulnerabilities that significantly impact users. In addition, a recipient can in general use other software and techniques like screen-capture capabilities or a separate camera to make permanent copies of the content. (Copy of the Homepage: https://wickr.com/ ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research team discovered a denial of service web vulnerability in the offical Wickr Desktop v2.2.1 windows software. Vulnerability Disclosure Timeline: ================================== 2014-12-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Wickr Inc. Product: Wickr - Desktop Software (Windows) 2.2.1 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local denial of service vulnerability has been discovered in the official Wickr TSM v2.2.1 (MSI) windows software. The issue allows local attackers to crash or shutdown the software client by usage of special crafted symbole payloads. The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the qsqlcipher_wickr.dll when processing to include special crafted symbole strings as password or name. The issue occurs after the input of the payload to the `change name friend contacts`-, `the wickr password auth`- and the `friends > add friends` input fields. Attackers are able to change the name value of the own profile (payload) to crash the wickr client. Local attackers can include the payload to the input fields to crash/shutdown the application with unhandled exception. The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the DoS vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of the vulnerability results in an application crash or service shutdown. Vulnerable Module(s): [+] friend contacts [+] wickr password auth [+] friends Vulnerbale Input(s): [+] add friends (name) [+] wickr password auth [+] change friend (update name) Vulnerable Parameter(s): [+] name (value input) [+] password (vale input) Proof of Concept (PoC): ======================= The denial of service web vulnerability can be exploited by remote attackers and local attackers with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4) 2. Install the wickr windows version of the software to your windows 8 box 3. Create an new account and include the payload to the password input field Note: After the payload has been processed to the auth, the software crashs. You should attach a debugger ago. 4. Successful reproduce of the first issue! 5. We register a new account with regular values 6. Open the friends > add friends section and include the payload to the search input value Note: After the payload has been processed to add the friend, the software crashs. You should attach a debugger ago. 7. Successful reproduce of the second issue! 8. We open the software again and login. Switch to the existing friends contacts and edit the profile 9. Include in the name values the payload and save the settings Note: After the payload has been processed to change to the name, the software crashs. You should attach a debugger ago. 4. Successful reproduce of the third issue! Payload: Denial of Service ็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็ --- Error Report Logs --- EventType=APPCRASH EventTime=130628671359850105 ReportType=2 Consent=1 UploadTime=130628671360390638 ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7 IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7 WOW64=1 NsAppName=Wickr.exe Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8 Response.BucketTable=1 Response.LegacyBucketId=73726044048 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=Wickr.exe Sig[1].Name=Anwendungsversion Sig[1].Value=0.0.0.0 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=02849d78 Sig[3].Name=Fehlermodulname Sig[3].Value=CFLite.dll Sig[4].Name=Fehlermodulversion Sig[4].Value=0.0.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=53f6c178 Sig[6].Name=Ausnahmecode Sig[6].Value=c0000005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=00027966 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.3.9600.2.0.0.256.48 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=5861 DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2 DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=84a0 DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6 UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe UI[3]=Wickr.exe funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen ... ... ... ... LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\sqldrivers\qsqlcipher_wickr.dll State[0].Key=Transport.DoneStage1 State[0].Value=1 FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=Wickr.exe AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe NsPartner=windows NsGroup=windows8 ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE Security Risk: ============== The security risk of the denial of service web vulnerability in the wickr windows client software is estimated as medium. (CVSS 3.3) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt