Kev Posted December 8, 2020 Report Posted December 8, 2020 Facebook Messenger for Android has an issue where an SdpUpdate message can cause an audio call to connect before the callee has answered the call. Facebook Messenger sets up audio and video calls in WebRTC by exchanging a series of thrift messages between the callee and caller. Normally, the callee does not transmit audio until the user has consented to accept the call, which is implemented by either not calling setLocalDescription until the callee has clicked the accept button, or setting the audio and video media descriptions in the local SDP to inactive and updating them when the user clicks the button (which strategy is used depends on how many endpoints the callee is logged into Facebook on). However, there is a message type that is not used for call set-up, SdpUpdate, that causes setLocalDescription to be called immediately. If this message is sent to the callee device while it is ringing, it will cause it to start transmitting audio immediately, which could allow an attacker to monitor the callee's surroundings. To reproduce this issue: 1) Log into Facebook Messenger on the attacker device 2) Log into Facebook Messenger on the target device. Also log into Facebook in a browser on the same account. (This will guarantee call set-up uses the delayed calls to setLocalDescription strategy, this PoC doesn't work with the other strategy) 3) install frida on the attacker device, and run Frida server 4) make a call to any device with the attacker device to load the RTC libraries so the can be hooked with Frida 5) unzip sdp_update, and locally in the folder, run: python2 modifyout.py \"attacker device name\" (to get a list of devices, run python2 modifyout.py) 6) make an audio call to the target device In a few seconds, audio from the target devices can be heard through the speakers of the attacker device. The PoC performs the following steps: 1) Waits for the offer to be sent, and saves the sdpThrift field from the offer 2) Sends an SdpUpdate message with this sdpThift to the target 3) Sends a fake SdpAnswer message to the *attacker* so the device thinks the call has been answered and plays the incoming audio The python for the PoC was generated using fbthrift, the thrift file used for generation is attached. This PoC was tested on version 284.0.0.16.119 of Facebook Messenger for Android. This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2021-01-04. Disclosure at an earlier date is possible if agreed upon by all parties. Found by: rschoen@google.com Download GS20201207145742.tgz (70.1 KB) Source 1 1 1 Quote
