WhatsApp Messenger Runs Arbitrary Python Code
Key Takeaways
The WhatsApp desktop application for Windows has a security vulnerability that allows arbitrary Python code execution via .pyz files, which can be used to establish a reverse shell and evade Windows Defender. The application's deny list of file extensions can be bypassed by renaming executable files.
Full Transcript
in the latest version of WhatsApp in their desktop application for Windows there are some file types that don't actually show a warning when they're included as an attachment and clicked on to open that file now this is interesting because it may or may not be considered a security vulnerability if that file that you click to open ends up running or executing code but I'll leave it to you I'll show you in this video so you can make that judgment call for yourself let me go ahead and open up Firefox as my web browser let's go download WhatsApp for iOS Mac or PC and in this case we'll get it from the Microsoft store this will end up just giving us a WhatsApp installer small Thin Client to actually be able to install this without going through the Microsoft store really it ends up doing it all anyway and I'm going to install this fresh just so you know that this is the latest run edition of WhatsApp as currently publicly available now it has opened up and I'm on version 2.24 29.10.19 Again by the time I'm recording and the time this videoos releases maybe things have changed but anyway let me go ahead and get started and connect to this with my WhatsApp on my phone I'll scan that super quick make sure that's all connected and let me start a new conversation with myself just so we can test this out now you might expect that WhatsApp and other messaging platforms might actually block regular executable files so if I actually were to go to C Windows system 32 we can grab any native natural executable file honestly CN cmd.exe is a fine candidate now if I were to move that to the side and put WhatsApp over on the other half I could go ahead and drag in the cmd.exe the actual executable we could enter a caption if we want hello please subscribe haaha once I send this if I to click open you'll get a notification from WhatsApp that the save failed it won't let you open or run an executable file like aexe it would require you to save as and then do the whole riger roll to actually get that set up on your computer and the the way that WhatsApp actually determines as to whether or not you're allowed to open the file or go through the save as process is presumably by a deny list of the file extension like if I were to copy this instance of cmd.exe if I were to bring it over to my desktop I could simply rename this to like a HTA file let's see if I can drag that in that's another a hypertext application usually used to execute code in Windows I could try to open this say failed let's do another one honestly for just like a do text just to show you that that should work just fine we'll drag that in Click the button there and then if I were to open this well hey it's aext file that's presumably Innocent but obviously this is all just a binary file so it's Gunk but that goes to show that aext file extension is not in the deny list we can make this a Powershell script presumably again just changing the file extension send it open it and that is interesting that actually opens huh I did not expect the PS1 file to actually open granted the current Handler is just opening it notepad but if it were Powershell that could be some silly stuff could try it with a bat file extension to make it a bat script that should have a normal natural Handler so if I were to send this open it uh that save failed so Deni list kicking in again if we really wanted to we could go through the whole process of trying different file extensions and seeing which ones go through the deny list or are allowed and that would be worthwhile a little effort here that would be a kind of cool research project it may be a worthwhile video or live stream at some point but at least at the time of recording on July 27th 2024 I saw this article come from bleeping computer WhatsApp for Windows lets Python and PHP scripts execute with no warning we'll see it in action in just a second but before we do please let me tell you a little bit about the sponsor of today's video and that are my good friends over at anti siphon training Black Hills information security and all of the awesome and incredible tribe of companies from John strand if you are looking to learn some sweet cyber security stuff they have phenomenal training on their website alongside pay what you can training literally you get to choose the price tag you determine hey how much are you willing to pay for any of these courses you can make that $500 you can make that $50 you can make that $0 if you want now not all of these are coming from John strand himself there are other instructors but John strand has done another awesome thing where a whole lot of the introductory courses and classes have their lab and exercises all available for free on GitHub I love this over on github.com strand JS introl laabs literally the description is these are the the labs for my intro classes yes these are public yes it's totally intentional and if you want to take a look we could actually drill down into the class files and take a look at the navigation I'll zoom in a little bit here because they have super sweet stuff like introduction to the sock Security operation Center Linux command line memory analysis TCP dump web blog review wire shark Rita nessus deep blue c Li Velociraptor so much cool stuff and it's all online and available for free we've showcased some of these in other videos but I really recommend it again I'm always singing the Praises of antiphon training Black Hills information security and all the sweet stuff by that incredible team thank you so much for your support to the channel and you can check them out with the link in the video description to dive into their pay what youan courses now let's get back into this article talking about these file types that don't actually include a warning when you want to open or execute them this is by Bill over at bleeping computer so big shout out credit to him uh and of course want to credit the actual researcher that tracked this down he noting that look if you actually execute python code that does require the attack surface of python being installed on the victim computer for it to actually have the default Handler set up to invoke and execute and run that code I know that is a little bit of a limitation that's constraint not to be something that as easily weaponized but it is worthwhile for some security cases like software developers researchers and of course power users on the computer this is a lot similar to what was discussed for telegram and I actually have a video for that if you're interested that showcases a very similar thing but that was using a High ZW file in this case WhatsApp allows you to do this with either a pyz file or even a PHP script that is also not in their deny list so credit where credit is due this is coming from s do I'm so sorry I don't know how to pronounce your name my friend this is him over on LinkedIn so please give him some love big shout out there hey sorry quick cut John from the future here I just wanted to throw this in cuz I thought it was kind of neat apparently I actually got an email from this researcher he reached out and expressed that he had found this and he actually was referencing the old telegram video that had that exact same issue he said he was inspired by that video and that's what led him to track this down in WhatsApp so very cool genuinely I had not seen this email I did not know that that was an Outreach previously but I just responded minutes ago and said like hey actually I just recorded this video and I'll have it out and about so kind of neat thanks so much but if we were to get back to our Windows 11 virtual machine and let me open up a text editor I'll just use Sublime Text here and let me save a we can go put this on the desktop so it's nice and easy for us and we'll call this like I don't know test. pyz that is a python file extension to work with a kind of Pi zip file but let's add some syntax let's add the import OS so we could use a module or package to work with operating system commands in fact that function called system where we could just start off small and simple opening the calculator now we don't have syntax highlighting if I already go ahead and hit control shift p and Sublime Text I can set the syntax to python but with that saved and staged for us we now have our test.py python zip application file note that I do have python already installed in this virtual machine and again take it with a grain of salt whether or not that is going to be a viable attack surface for you but if I were to go ahead and send this now that's included and the open button is not going to give me that say failed notification but it's actually going to fire up and run the calculator now obviously this is a super tiny primitive example but we could make this malicious if we wanted to hey have some Mau in the case there for to go search for a super simple python reverse shell syntax just pull it off the shelf you know we could grab any payload that we might like here I'll change our test. pz to that syntax let's actually get the host and port and I'll hop into a Cali Linux virtual machine just so we can start to hack a little bit and take a look at my IP address for the eth zero interface 19216811 1.179 so with that we could make a call back if we were to listen with net cat Tac L nvp Tac L to listen Tac n to not resolve DNS resolution tacv for verose and P for the port I saw 5,002 in the representation there if I put these side by side let's change the host IP address value within Sublime Text now let's drag in our new test. pyz we can go ahead and send that file and once I hit open fingers crossed we'll get our connection and we can see we do have a shell by PWD or in Windows that's actually CD to display the current directory which isn't super duper help obviously who am I I'm John on that Windows 11 host and you've got that spooky command line hanging out to denote whoops it's still running if I close this that should kill the session now Das had found that the pz file extension will come through pzw for a pine solar program and evtx for Windows event logs that's interesting I wonder if you could do any weird stuff with that I'm curious if the pyw one will actually come through because that with the w prefix I don't believe in includes a window when you end up hey executing it so if I were to start the netcat listener again and hit open there that actually won't display the window so you don't have the spooky scary command prompt anymore you can still do whatever the heck you want and you know you do anything I think that can be a little bit more Sinister for any payloads that you might just Spam out into a group chat or send to anyone with any contacts anything really but look this Windows 11 virtual machine that I'm using does have Windows Defender like completely nuked removed deleted uh so it's not going to FL and trigger on that and sometimes you can get a reverse shell to evade antivirus anyway because it's just a TCP connection it is what you end up doing with that shell and that command and control access later on that can still get you caught by security mechanisms anyway I think the story here is still a little bit interesting though because Daz that security researcher reported the problem to meta on June 3rd it's currently July 27th the company replied on July 15th saying that the issue had been already reported by another researcher and it should have have already been fixed and yet it's not at least at the time recording right so when the researcher contacted the computer the bug was still present in the latest WhatsApp release for Windows and they could reproduce it on even an earlier version than what I'm on right now v2.2 42810 do0 but remember that even this WhatsApp version that we're using to Showcase this over in the help section that tells me I'm on 2.24 2910 so they had a release cycle and they could have fixed this but again I don't know you'll get into uh splitting hairs in just a second do explains I reported this issue to meta through their bug Bounty program but unfortunately they closed it as not applicable it's disappointing as this is a pretty straightforward flaw that could really easily be mitigated like obviously there's already a deny or allow list you could just add it to the deny list when bleeping computer reached out to WhatsApp for clarification about the reason for dismissing them they had this response and I'm curious of your hot take let me know in the comments below we've read what the researcher proposed and appreciate their submission Ma can take many different forms including through downloadable files meant to trick a user it's why we warn users never to click on or open a file from somebody they don't know regardless of how they receive it whether it's over the WhatsApp or any other app um I get that but you're already blocking it for executable files for things that could still be executing I'm curious why that's not in the decision to just block it like we saw with telegram previously they denied it at first rejected the submission and then fixed it later on so maybe the time between me releasing this video or recording it is really going to end up being the difference here but they explained that WhatsApp has a system in place to warn users when they're messaged by users not in their contacts list sure okay but if a user account to hijacked then they can enumerate any of those options here and of course sending it to public and private chat groups da expressed dis appointment by literally yeah just add the file extension to the block list it's already there addressing this issue would not only enhance the security of the users but also demonstrate the commitment to promptly resolving security concerns so I'd love your hot take is this a security concern look you still have to click open of course and that falls on the victim but the fact that another PHP file extension and we don't have to test that but we could try some others like Powershell PS1 or even some other python representations plenty of things we could experiment with I will leave it up to you maybe an exercise for the reader if you might like to Tinker an experiment with other files file types and file extensions and see what might get past the WhatsApp block list or deny list uh I believe WhatsApp is closed Source like it's not open source at least from Google results it's telling me it's like not fully open source again feel free to let me know in the comments below but the fact that if python were to be installed in the exact same case of telegram what we discussed previously that did end up changing this like we shouldn't just be able to click that okay and then open execution with the calculator I know is a small example but any reverse shell any other malware staging stuff you could do whatever you want with this all right short video today big thanks to bleepy computer big thanks to the security researcher big thanks for you tuning into this video and please do all those YouTube algorithm things if you enjoyed this video like comment subscribe please give some support to our sponsors Link in the video description for all the pay what you can training but thanks again and I'll see you in the next video
Original Description
https://jh.live/pwyc || Jump into Pay What You Can training at whatever cost makes sense for you! https://jh.live/pwyc
Learn Cybersecurity - Name Your Price Training with John Hammond: https://nameyourpricetraining.com
Learn Coding: https://jh.live/codecrafters
WATCH MORE:
Dark Web & Cybercrime Investigations: https://www.youtube.com/watch?v=_GD5mPN_URM&list=PL1H1sBF1VAKVmjZZr162aUNCt2Uy5ozAG&index=4
Malware & Hacker Tradecraft: https://www.youtube.com/watch?v=LKR8cdfKeGw&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv&index=5
📧JOIN MY NEWSLETTER ➡ https://jh.live/email
🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: AI Security
View skill →Related Reads
📰
📰
📰
📰
Cisco 350-701 SCOR (CCNP Security Core): What's Actually Tested
Dev.to · NERDEXAM
Insider Threats in Cybersecurity: Lessons From the Latest Ransomware Conviction
Medium · Cybersecurity
SpideyX Explained | High-Speed Web Pentesting Framework
Medium · Cybersecurity
Stop Chasing Another Cybersecurity Certification.
Medium · Cybersecurity
🎓
Tutor Explanation
DeepCamp AI