6.8
CVSSv2

CVE-2019-11932

Published: 03/10/2019 Updated: 05/12/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote malicious users to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.

Vulnerability Trend

Affected Products

Vendor Product Versions
WhatsappWhatsapp2.9.243, 2.11.544, 2.11.561, 2.12.14, 2.12.30, 2.12.48, 2.12.50, 2.12.250, 2.12.304, 2.12.331, 2.12.367, 2.12.453, 2.12.556, 2.16.95, 2.16.207, 2.16.225, 2.16.275, 2.16.306, 2.16.310, 2.16.323, 2.16.352, 2.16.382, 2.16.392, 2.16.396, 2.17.24, 2.17.79, 2.17.107, 2.17.146, 2.17.190, 2.17.223, 2.17.254, 2.17.296, 2.17.323, 2.17.351, 2.17.395, 2.17.427, 2.18.28, 2.18.29, 2.18.30, 2.18.32, 2.18.36, 2.18.37, 2.18.38, 2.18.105, 2.18.132, 2.18.248, 2.18.293, 2.18.306, 2.18.327, 2.18.341, 2.18.361, 2.18.373, 2.18.380, 2.19.4, 2.19.5, 2.19.6, 2.19.7, 2.19.8, 2.19.9, 2.19.14, 2.19.17, 2.19.18, 2.19.19, 2.19.24, 2.19.25, 2.19.27, 2.19.28, 2.19.29, 2.19.31, 2.19.33, 2.19.34, 2.19.35, 2.19.39, 2.19.42, 2.19.45, 2.19.46, 2.19.48, 2.19.50, 2.19.51, 2.19.52, 2.19.54, 2.19.55, 2.19.56, 2.19.57, 2.19.59, 2.19.61, 2.19.63, 2.19.65, 2.19.67, 2.19.69, 2.19.71, 2.19.73, 2.19.74, 2.19.75, 2.19.78, 2.19.79, 2.19.80, 2.19.81, 2.19.82, 2.19.83, 2.19.86, 2.19.87, 2.19.89, 2.19.92, 2.19.93, 2.19.95, 2.19.97, 2.19.98, 2.19.99, 2.19.102, 2.19.103, 2.19.106, 2.19.108, 2.19.110, 2.19.113, 2.19.115, 2.19.116, 2.19.118, 2.19.119, 2.19.120, 2.19.123, 2.19.126, 2.19.127, 2.19.128, 2.19.129, 2.19.130, 2.19.131, 2.19.133, 2.19.134, 2.19.136, 2.19.138, 2.19.139, 2.19.142, 2.19.143, 2.19.144, 2.19.145, 2.19.147, 2.19.148, 2.19.150, 2.19.152, 2.19.154, 2.19.155, 2.19.156, 2.19.157, 2.19.158, 2.19.159, 2.19.160, 2.19.163, 2.19.164, 2.19.165, 2.19.166, 2.19.167, 2.19.168, 2.19.169, 2.19.170, 2.19.171, 2.19.172, 2.19.174, 2.19.175, 2.19.176, 2.19.177, 2.19.178, 2.19.179, 2.19.184, 2.19.185, 2.19.186, 2.19.187, 2.19.189, 2.19.191, 2.19.192, 2.19.194, 2.19.195, 2.19.196, 2.19.203, 2.19.216, 2.19.230

Exploits

# Exploit Title: Whatsapp 219216 - Remote Code Execution # Date: 2019-10-16 # Exploit Author: Valerio Brussani (@val_brux) # Vendor Homepage: wwwwhatsappcom/ # Version: < 219244 # Tested on: Whatsapp 219216 # CVE: CVE-2019-11932 # Reference1: awakened1712githubio/hacking/hacking-whatsapp-gif-rce/ # Full Android App: htt ...

Mailing Lists

Whatsapp version 219216 suffers from a remote code execution vulnerability ...
Hi list, CVE-2019-11932 is a vulnerability in the android-gif-drawable library Yet the CVE text doesn't mention "android-gif-drawable" It only mentions WhatsApp There could be over 28,400 free Android apps that use this library And it seems that quite a few (24) of those 28k+ apps other than WhatsApp that use android-gif-drawable have install ...

Recent Articles

A Nord VPN bug, a(nother) bad Microsoft patch, Zynga data farmed out, and more
The Register • Shaun Nichols in San Francisco • 05 Oct 2019

Plus, NSA's Ghidra found to contain faulty code

Roundup Here's the latest security news in handy digest form of stories you may have missed over the last week.
Reg reader Tony writes in to tell us of an interesting security bug that arises when running NordVPN in tandem with the Cloudflare 1.1.1.1 WARP service in iOS. The end result is a connection that looks to be protected by NordVPN, but in reality it is completely exposed.
Here's how it works:
The user first connects to 1.1.1.1 with Warp, then disables the app without tu...

WhatsApp Flaw Opens Android Devices to Remote Code Execution
Threatpost • Elizabeth Montalbano • 03 Oct 2019

A security researcher has identified a flaw in the popular WhatsApp messaging platform on Android devices, which could allow attackers to launch privilege elevation and remote code execution (RCE) attacks on victims.
Exploiting the flaw—described in a Wednesday post on GitHub by a Singapore-based “technologist and an information security enthusiast” called Awakened – is a rather complicated affair. An attack involves a bad actor sending a malicious GIF file to a victim via “any ...