Wire Secure Messenger Remote Format String Vulnerability

A Format String vulnerability (CVE-2023-48221) in the Wire AVS library used in Wire Secure Messenger allows an attacker to cause a denial of service (application crash) or possibly execute arbitrary code via voice or video call. This affects Wire AVS (Audio, Video, and Signaling) before 9.2.22 and 9.3.5.

Details

During a penetration test of the Wire Secure Messenger, the focus was placed on investigating several remote attack vectors, particularly those related to the processing of SDP (Session Description Protocol) data, a known area of concern from past research. The Wire AVS (Audio, Video, and Signaling) library, an open-source component, is used for processing the SDP data in Wire. Notably, the use of format string parameters within this library had already been identified as a potential issue. A straightforward grep search uncovered the following code line:

...
mbuf_printf(bundle.mb, sdp_session_rattr(sess, "group"));
...


The mbuf_printf function takes as its second parameter a format string derived directly from the received SDP data. This function uses a custom variant of the printf function that supports different format string parameters. This provides multiple ways for an attacker to exploit the vulnerability.

Impact

An externally-controlled format string could lead to buffer overflows, denial of service, or data representation problems. To exploit the vulnerability an attacker need to start a voice or video call to a contact and replace the SDP attribute value during the Signaling with a malformed format string. If the victim accepts the call, the format string vulnerability is triggered. This leads at least to a denial of service (application crash) and potentially to Remote Code Execution.

References

Holger Fuhrmannek (holger.fuhrmannek@telekom.de)