Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability (Demonstration Video)

Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability (Demonstration Video)

A german security researcher of the vulnerability laboratory core team discovered today a local denial of service vulnerability in the wickr secret messenger v2.2.1 software. The issue has been reported to the wickr security team next to the public release of the windows desktop version of the software. Wickr is a secret messenger that is setup to protect the users data, information and privacy.

The wickr v2.2.1 (msi) software crashs with unhandled exception in the CFLite.dll by the qsqlcipher_wickr.dll when processing to include special crafted symbole strings as password or name. The issue occurs after the input of the payload to the `change name friend contacts`-, `the wickr password auth`- and the `friends > add friends` input fields. Attackers are able to change the name value of the own profile (payload) to crash the wickr client. Local attackers can include the payload to the input fields to crash/shutdown the application with unhandled exception.

The security risk of the denial of service vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.3. Exploitation of the DoS vulnerability requires a low privileged application user account and low user interaction. Successful exploitation of the vulnerability results in an application crash or service shutdown.

Vulnerable Module(s):
[+] friend contacts
[+] wickr password auth
[+] friends

Vulnerbale Input(s):
[+] add friends (name)
[+] wickr password auth
[+] change friend (update name)

Vulnerable Parameter(s):
[+] name (value input)

Proof of Concept

The denial of service web vulnerability can be exploited by remote attackers and local attackers with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Download Wickr v2.2.1 for windows to your windows 8 box (mywickr.info/download.php?p=4)
2. Install the wickr windows version of the software to your windows 8 box
3. Create an new account and include the payload to the password input field
Note: After the payload has been processed to the auth, the software crashs. You should attach a debugger ago.
4. Successful reproduce of the first issue!
5. We register a new account with regular values
6. Open the friends > add friends section and include the payload to the search input value
Note: After the payload has been processed to add the friend, the software crashs. You should attach a debugger ago.
7. Successful reproduce of the second issue!
8. We open the software again and login. Switch to the existing friends contacts and edit the profile
9. Include in the name values the payload and save the settings
Note: After the payload has been processed to change to the name, the software crashs. You should attach a debugger ago.
10. Successful reproduce of the third issue!

Payload: Denial of Service
็¬็ส็็็็็ -็็็็็็็็็็็็็็็็็็็็ส็¬็็็็็็็็¬็็็็็็็็็็็็็็็็ส็็็็¬็็็็็็็็็-็็็็็็็ ็็็็็ส็็็็็็็¬็็็็็็็็็็¬็็็็็็็็ส็็็็็็็็็็¬็็็็็็็็็็็ ¬็็็็ส็็็็็็็็็็็็็¬็็็็ ็็็็็็็็¬ส็็็็็็็็็็็็็็็็-็็็็็็็็็ส็็็็็็็็็็็็็็็็็็็ ¬็็็็็็ส็็็็็็็¬ส็็็็็็็็็็็็็็็็็็็็็็็็็ส็็็¬¬็็็็็็็็็็็็็็็็็็็็็็ส็็็็็็¬็ 

--- Error Report Logs ---
EventType=APPCRASH
EventTime=130628671359850105
ReportType=2
Consent=1
UploadTime=130628671360390638
ReportIdentifier=df89d941-8208-11e4-be8b-54bef733d5e7
IntegratorReportIdentifier=df89d940-8208-11e4-be8b-54bef733d5e7
WOW64=1
NsAppName=Wickr.exe
Response.BucketId=96ac0935c87e28d0d5f61ef072fd75b8
Response.BucketTable=1
Response.LegacyBucketId=73726044048
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Wickr.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=0.0.0.0
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=02849d78
Sig[3].Name=Fehlermodulname
Sig[3].Value=CFLite.dll
Sig[4].Name=Fehlermodulversion
Sig[4].Value=0.0.0.0
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=53f6c178
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=00027966
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.3.9600.2.0.0.256.48
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=5861
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=5861822e1919d7c014bbb064c64908b2
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=84a0
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=84a09ea102a12ee665c500221db8c9d6
UI[2]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
UI[3]=Wickr.exe funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
... ...  ... ...
LoadedModule[103]=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\sqldrivers\qsqlcipher_wickr.dll
State[0].Key=Transport.DoneStage1
State[0].Value=1
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Wickr.exe
AppPath=C:\Program Files (x86)\Wickr Inc\Wickr - Top Secret Messenger\Wickr.exe
NsPartner=windows
NsGroup=windows8
ApplicationIdentity=6A5425CE651532265F599A5A86C6C2EE

Wickr Desktop v2.2.1 Windows - Denial of Service Vulnerability (PoC Video Demonstration)

Advisory: http://www.vulnerability-lab.com/get_content.php?id=1377

Video: http://www.vulnerability-lab.com/get_content.php?id=1388