Moxie Marlinspike, the creator of the popular encrypted messaging app Signal, announced that Cellebrite mobile forensics tools developed by Cellebrite are affected by multiple vulnerabilities that could be exploited to achieve arbitrary code execution.
Cellebrite develops forensics tools for law enforcement and intelligence agencies that allow automating physically extracting and indexing data from mobile devices. The popular cryptographer and researcher Moxie claims the list of customers of the company includes authoritarian regimes in Belarus, Russia, Venezuela, and China, death squads in Bangladesh, and military juntas in Myanmar.
In December December announced that its Physical Analyzer is able to decrypt messages and data from the Signal’s messaging app.
Cellebrite produce two primary pieces products, the UFED and Physical Analyzer. the former allows experts to create a backup the device onto the Windows machine running UFED, the latter parses the files from the backup to display the data in browsable form.
Moxie pointed out that the Cellebrite software parses data that comes from multiple apps running on the devices that represent an untrusted source. The data may not be formatted correctly and could potentially trigger a memory corruption vulnerability that leads to code execution on the device.
“the data Cellebrite’s software needs to extract and display is ultimately generated and controlled by the apps on the device, not a “trusted” source, so Cellebrite can’t make any assumptions about the “correctness” of the formatted data it is receiving. This is the space in which virtually all security vulnerabilities originate.” reads the post published by Moxie. “Since almost all of Cellebrite’s code exists to parse untrusted input that could be formatted in an unexpected way to exploit memory corruption or other vulnerabilities in the parsing software, one might expect Cellebrite to have been extremely cautious. Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security. Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present”
The popular expert explained that the flaw could be exploited in multiple ways by simply including a specially formatted but otherwise innocuous file in any app on a device that when parsed by Cellebrite software could trigger the exploit.
“For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures” continues the expert.
The researcher shared a video POC of the attack that demonstrates how to trigger the issue while analyzing files stored in the device, the payload used by the expert leverages the MessageBox Windows API to deliver a message to the user.
Moxie also noticed that that the installer for the Packet Analyzer includes MSI packages digitally signed by Apple and apparently extracted from the Windows installer for iTunes version 126.96.36.199.
Both packages import DLLs used to allow the forensic tools to extract data from iOS devices.
“It seems unlikely to us that Apple has granted Cellebrite a license to redistribute and incorporate Apple DLLs in its own product, so this might present a legal risk for Cellebrite and its users.” concludes the expert.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, WhatsApp)