Signal patched a code injection vulnerability that by some means of exploitation enabled attackers to achieve remote code execution.
The security team for the encrypted communications app, a program which has been available for both Android and iOS since November 2015, published a fix for the bug just hours after first being contacted by a group of security researchers.
Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo with assistance from Javier Lorenzo Carlos Smaldone accidentally discovered the vulnerability on 10 May. They were passing XSS payloads back and forth when one of the packages triggered in Signal’s desktop version. Further investigation confirmed that the weakness worked on different platforms including Linux, Windows and macOs.
Iván Ariel Barrera Oro shared additional details about the vulnerability in a blog post:
We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny). They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. Inside iframes, everything was possible, even loading code from an SMB share!. This enables an attacker to execute remote code without caring about CSP. Juliano worked on this with Alfredo, along with trying to get a manageable segmentation fault.
Shortly after publishing the above Twitter notification on 11 May, the security researchers reached out to Signal. The encrypted messaging app’s security folks confirmed they were working on a patch two hours later. It took just another hour more for Signal’s security team to release a patch.
Iván Ariel Barrera Oro was surprised at how quickly Signal released the fix, especially given its size. He therefore decided to have a look at the patch file’s history. It’s then that he discovered that the messaging app had previously created the fix but had removed it on 10 April to fix an linking issue.
The security researcher admitted he still has his doubts about the patch file:
I’m still not convinced about that regex and I’m afraid someone might exploit it, specially those resourceful three-letter agencies….
Signal users should consider updating their software as soon as possible.