There is a memory corruption vulnerability in audio processing during a voice call in WeChat. When an RTP packet is processed, there is a call to UnpacketRTP. This function decrements the length of the packet by 12 without checking that the packet has at least 12 bytes in it. This leads to a negative packet length. Then, CAudioJBM::InputAudioFrameToJBM will check that the packet size is smaller than the size of a buffer before calling memcpy, but this check (n < 300) does not consider that the packet length could be negative due to the previous error. This leads to an out-of-bounds copy.
To reproduce the bug:
1) install and run frida on the caller Android device and a desktop host (https://www.frida.re)
2) copy the filed in the attached directory to /data/local/tmp/packs/, so that /data/local/tmp/packs/opack0 exists
3) run "setenforce 0" on the caller device
4) extract replay.py and replay.js into the same directory on a desktop host and run:
python3 replay.py DEVICENAME
Wait for the word "READY" to display.
If you don't know your device name, you can list device names by running:
5) start a voice call and answer it on the target device. A crash will occur in about 10 seconds.
A crash log is attached.
Proof of Concept:
# 0day.today [2020-01-19] #