Critical Zero-Day Vulnerability in Popular VPN Service Allows Remote Code Execution
The vulnerability, CVE-2023-3420, was patched in the V8 engine in June 2023. However, the WebView component within WeChat was not updated, exposing millions of users to potential attacks.
Introduction
On April 30, 2024, Cisco Talos researchers reported a critical vulnerability in Tencent We Chat's custom browser, which could lead to remote code execution (RCE). The vulnerability, CVE-2023-3420, was patched in the V8 engine in June 2023. However, the WebView component within WeChat was not updated, exposing millions of users to potential attacks. The vulnerability affects versions up to 8.0.42, the latest version on the Google Play Store before June 14, 2024.
Report Overview
WeChat, developed by Tencent, is a widely used messaging app, particularly in China. It provides users with messaging, social media, and payment features. During an investigation into the app, Cisco Talos discovered that WeChat employs a custom WebView component rather than relying on the built-in Android WebView. This custom WebView is based on XWalk, which includes an embedded Chromium browser running V8 version 8.6.365.13, an outdated version released in October 2020.
The vulnerability occurs due to a type confusion issue within the V8 JavaScript engine, allowing an attacker to execute arbitrary code by exploiting the outdated WebView. The vulnerability is triggered when a victim clicks a malicious URL sent via a WeChat message, which loads embedded JavaScript into the XWalk WebView, initiating the exploit. This type of attack, known as a "one-click exploit," requires minimal user interaction.
The custom WebView is dynamically downloaded after users log into the app for the first time, allowing Tencent to push updates independently. However, Talos researchers discovered that versions of WeChat up to 8.0.42, available on the Google Play Store, were still vulnerable. Due to the WebView's dynamic loading mechanism, Talos was unable to confirm whether all versions have been patched.
Insights and Analysis
This vulnerability presents a significant risk to WeChat's vast user base, particularly in regions where the app is widely adopted for communication and payment processing. A successful exploit would allow attackers to take control of a victim's device, execute arbitrary code, and potentially steal sensitive data or install malware.
The vulnerability is especially dangerous for users on untrusted networks, such as public Wi-Fi, where attackers can easily manipulate traffic and deliver malicious URLs. Given WeChat's global reach and its integration into various aspects of users' lives, the implications of such an attack are far-reaching.
The CVSSv3 score for this vulnerability is 8.8, reflecting its high severity. The rating breakdown (CVSS:3.0/AV/AC/PR/UI/S/C/I/A) highlights the network attack vector, low complexity, and significant confidentiality, integrity, and availability impact.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| Mozilla/5.0 (Linux; Android 14; Pixel 6 Build/UQ1A.240105.002; wv) AppleWebKit/537.36 ... MMWEBID/2247 ... | User Agent | Custom WeChat browser user agent indicating a vulnerable version (8.0.42) of WeChat's XWalk WebView. |
| /data/data/com.tencent.mm/app_xwalk_4433/apk/base.apk | File Path | File path indicating the location of the outdated XWalk WebView APK on affected Android devices. |
| /data/data/com.tencent.mm/app_xwalk_4433/extracted_xwalkcore/libxwebcore.so | File Path | File path pointing to the embedded browser environment with an outdated version of V8. |
| Malicious URL sent through WeChat message | Network Indicator | URLs that trigger the one-click exploit when loaded in the vulnerable WebView. |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Execution | Exploitation for Client Execution | T1203 | Adversaries may exploit vulnerabilities in client applications to execute code. |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Exploitation of a vulnerability to elevate privileges on the compromised system. |
| Initial Access | Spearphishing Link | T1566.002 | A spearphishing link is used to trick users into clicking a malicious URL. |
| Defense Evasion | Obfuscated Files or Information | T1027 | The malicious payload may be obfuscated to avoid detection during exploitation. |
References
Ashley Shen
Comments ()