A heap corruption in WhatsApp can be caused by a malformed RTP packet being sent after a call is established. The vulnerability can be used to cause denial of service. It affects WhatsApp for Android prior to v2.18.293, WhatsApp for iOS prior to v2.18.93, and WhatsApp for Windows Phone prior to v2.18.172.
WhatsApp is vulnerable to a denial-of-service (DoS) attack due to a heap corruption flaw in its Real-time Transport Protocol (RTP) packet handling. Attackers can trigger this vulnerability by sending a crafted RTP packet after a call is established, leading to application crashes and service disruption for affected users.
Step 1: Call Establishment: The attacker initiates a WhatsApp call with the victim.
Step 2: Call Connection: The call is connected, establishing an active audio stream.
Step 3: Malformed Packet Injection: The attacker sends a specially crafted RTP packet to the victim's WhatsApp client. This packet is designed to exploit the vulnerability.
Step 4: Packet Processing: The victim's WhatsApp client receives and attempts to process the malicious RTP packet.
Step 5: Heap Corruption: Due to a flaw in the packet processing logic, the client's memory management routines are triggered, leading to a heap corruption.
Step 6: Denial of Service: The corrupted heap memory causes the WhatsApp client to crash or become unstable, resulting in a DoS condition for the victim.
The vulnerability stems from improper handling of RTP packets within WhatsApp's audio call processing. Specifically, the software fails to adequately validate the size or structure of incoming RTP packets after a call has been established. This leads to a heap corruption condition, where data is written outside of allocated memory buffers. The root cause is likely an integer overflow or an off-by-one error when calculating memory allocation sizes or copying data from the malicious RTP packet. This corrupted heap memory can then lead to a crash when the application attempts to access or free the corrupted memory, resulting in a DoS.