Building a 1-click Exploit

Targeting Messenger for Android

Defense through Offense

Andrew Calvano Octavian Guzu Ryan Hall

Meta Product Security Meta Product Security Meta Red Team X
 01 Introductions

02 Background

Agenda 03 Exploitation

04 Mitigations

05 Takeaways/Questions
01 Introductions
01 Introductions
Octavian Guzu
• Product Security Engineer
@Meta, London
• Currently working on
Messenger and Video
Calling security
• Crypto enthusiast,
computer science
background
Andrew Calvano
• Product Security Engineer
@Meta, USA
• Working on cross-platform
Family of App security with
emphasis on Messenger
• Vulnerability research,
reverse engineering, and
computer science
background
Ryan Hall
• Offensive Security @Meta,
USA
• Focus on security of 3rd
party software and
hardware
• Vulnerability research, low
level platform/device
security.
01 Introductions

What is Defense through Offense?

Improving security posture through demonstrated compromise of our own software
• Goals:
﹘ Exploit mitigations research
﹘ Identifying flaws in design that only become apparent through exploitation
﹘ Discovering new attack surface
﹘ Building data points for in the wild detection and incident response
• Outcomes:
﹘ Three exercises to date producing ~45 security engineering work streams to harden Meta products
01 Introductions: Defense through Offense Execution

Step Curate known vulnerabilities and develop relevant and realistic exploitation
1 scenarios to investigate (e.g. 0-click messaging vs 1-click calling)

Step Reintroduce curated vulnerabilities on top of the latest release of the target
2 software

Step Develop exploitation primitives from subsets of curated vulnerabilities and

3 build an exploit targeting the vulnerable build by chaining them together

Step Document the exploit and brainstorm security engineering work streams to
4 mitigate similar scenarios
01 Introduction: Defense through Offense Exercises To Date
Meta Quest 2
Inaugural exercise targeting the
Quest 2 device. The exercise
resulted in the creation of a local
privilege escalation exploit for
VROS. The exploit scenario was
from the perspective of a malicious
or compromised application
installed to VROS.
Ray-Ban Stories
Second exercise targeting
firmware vulnerabilities on the
Ray-Ban Stories wearable glasses.
The scenario was an over-the-air
proximity based attack. The
exploit allowed an attacker within
Bluetooth range of a Ray-Ban
Stories user to execute code on
the victim’s glasses.
Messenger for Android
Most recent exercise we will be
discussing today. The exercise
created a 1-click calling exploit
targeting the Messenger for
Android application resulting in
remote code execution.
02 Background
02 Background: Messenger Application Introduction

What is Messenger?
02 Background: Messenger Messaging Architecture

Messenger Messaging
Architecture
Msys

• Cross platform messaging stack written in C

• Manages database, accounts, incoming/outgoing messaging, etc.
• E2EE messaging support requiring client side validation of
messaging and media content

Messenger Core Foundations (MCF)

• Core types used by Msys applications

• MCF is an abstraction layer around CoreFoundations
﹘ On Apple platforms, it calls CoreFoundations APIs directly
﹘ On Non-Apple platforms, it calls a cross platform
implementation
• Objects inherit from a base class, are reference counted, and
encode type specific functionality such as initializers and
destructors
02 Background: Messenger Calling Architecture

Messenger Calling
Architecture
Primarily managed by the Rsys and WebRTC libraries
• Supports both 1:1 and group audio/video calls
• Rsys manages client side signaling and WebRTC
• WebRTC maintains connections to servers/clients and
manages media
Two relevant attack vectors to consider
• Call Signaling
﹘ Communication between clients, infrastructure, and
other clients to manage call state
﹘ Structured Thrift protocol that defines messages
• Call Media
﹘ WebRTC relevant protocols (e.g. RTP, STUN, SCTP) and
audio/video codecs (e.g. OPUS, H264)
02 Background: Messenger Spark AR

Spark AR
Spark AR is the AR effect engine powering AR experiences
across Meta products
• AR effects developed in JavaScript
Group calling AR effects are auto enabled for all call
participants when any call participant enables them
• Exploit uses malicious Group AR effect to force victim client
to download and execute it
Multipeer AR effect feature
• Cross-client AR effect network communication
• Our malicious effect uses this to exfiltrate out of bounds
memory to our malicious caller
04 Mitigations
03 Exploitation
03 Defense through Offense: Social Ops

Messenger Exploitation Scenario

Scenario: 1-click calling exploit initiated by a malicious caller
• Environment
﹘ Pixel 6a Emulators + Physical Device
﹘ Android 12
• Constraints:
﹘ Threat actor can call their victim in a 1:1 call
﹘ The victim user must answer the call
• Exploitation Goals:
﹘ Execute code after call accept within the victim application
03 Vulnerabilities

Curated Vulnerability Title Security Impact

A malicious user can create a call

Vulnerabilities Vulnerability 1
(Rsys)
Rsys Apps Vulnerable to Incoming Call Metadata
Spoofing
appearing as if it is coming from
someone else (e.g. Mom)

Our exploit chains four exploitation
primitives from a set of 4 vulnerabilities.
These vulnerabilities are a mix of issues
crossing different FoA components. All
were internally discovered during
security reviews of Meta code and have
been fixed.
An AR effect can read out of bounds
Vulnerability 2 Out of bounds Read in on the heap potentially leading to
(Spark AR) SegmentationModule::getForegroundPercent information disclosure and an ASLR
defeat
Malicious calling clients can send
Vulnerability 3 Signaling messages sendable over media data
signaling messages P2P that should
(Rsys) channel
be reserved for the server
Out of bounds write on the heap
Incorrect Signed Integer Comparison Leads to
Vulnerability 4 reachable client-to-client during a
OOB Write in
(Rsys) call that can corrupt the heap in a
UnifiedPlanSdpUpdateSerializer::applyDelta
targeted manner
03 Vulnerabilities

Curated Vulnerability Title Security Impact

A malicious user can create a call

Vulnerabilities Vulnerability 1
(Rsys)
Rsys Apps Vulnerable to Incoming Call Metadata
Spoofing
appearing as if it is coming from
someone else (e.g. Mom)

Our exploit chains four exploitation
primitives from a set of 4 vulnerabilities.
These vulnerabilities are a mix of issues
crossing different FoA components. All
were internally discovered during
security reviews of Meta code and have
been fixed.
An AR effect can read out of bounds
Vulnerability 2 Out of bounds Read in on the heap potentially leading to
(Spark AR) SegmentationModule::getForegroundPercent information disclosure and an ASLR
defeat
Malicious calling clients can send
Vulnerability 3 Signaling messages sendable over media data
signaling messages P2P that should
(Rsys) channel
be reserved for the server
Out of bounds write on the heap
Incorrect Signed Integer Comparison Leads to
Vulnerability 4 reachable client-to-client during a
OOB Write in
(Rsys) call that can corrupt the heap in a
UnifiedPlanSdpUpdateSerializer::applyDelta
targeted manner
03 Vulnerabilities

Curated Vulnerability Title Security Impact

A malicious user can create a call

Vulnerabilities Vulnerability 1
(Rsys)
Rsys Apps Vulnerable to Incoming Call Metadata
Spoofing
appearing as if it is coming from
someone else (e.g. Mom)

Our exploit chains four exploitation
primitives from a set of 4 vulnerabilities.
These vulnerabilities are a mix of issues
crossing different FoA components. All
were internally discovered during
security reviews of Meta code and have
been fixed.
An AR effect can read out of bounds
Vulnerability 2 Out of bounds Read in on the heap potentially leading to
(Spark AR) SegmentationModule::getForegroundPercent information disclosure and an ASLR
defeat
Malicious calling clients can send
Vulnerability 3 Signaling messages sendable over media data
signaling messages P2P that should
(Rsys) channel
be reserved for the server
Out of bounds write on the heap
Incorrect Signed Integer Comparison Leads to
Vulnerability 4 reachable client-to-client during a
OOB Write in
(Rsys) call that can corrupt the heap in a
UnifiedPlanSdpUpdateSerializer::applyDelta
targeted manner
03 Vulnerabilities

Curated Vulnerability Title Security Impact

A malicious user can create a call

Vulnerabilities Vulnerability 1
(Rsys)
Rsys Apps Vulnerable to Incoming Call Metadata
Spoofing
appearing as if it is coming from
someone else (e.g. Mom)

Our exploit chains four exploitation
primitives from a set of 4 vulnerabilities.
These vulnerabilities are a mix of issues
crossing different FoA components. All
were internally discovered during
security reviews of Meta code and have
been fixed.
An AR effect can read out of bounds
Vulnerability 2 Out of bounds Read in on the heap potentially leading to
(Spark AR) SegmentationModule::getForegroundPercent information disclosure and an ASLR
defeat
Malicious calling clients can send
Vulnerability 3 Signaling messages sendable over media data
signaling messages P2P that should
(Rsys) channel
be reserved for the server
Out of bounds write on the heap
Incorrect Signed Integer Comparison Leads to
Vulnerability 4 reachable client-to-client during a
OOB Write in
(Rsys) call that can corrupt the heap in a
UnifiedPlanSdpUpdateSerializer::applyDelta
targeted manner
03 Vulnerabilities

Curated Vulnerability Title Security Impact

A malicious user can create a call

Vulnerabilities Vulnerability 1
(Rsys)
Rsys Apps Vulnerable to Incoming Call Metadata
Spoofing
appearing as if it is coming from
someone else (e.g. Mom)

Our exploit chains four exploitation
primitives from a set of 4 vulnerabilities.
These vulnerabilities are a mix of issues
crossing different FoA components. All
were internally discovered during
security reviews of Meta code and have
been fixed.
An AR effect can read out of bounds
Vulnerability 2 Out of bounds Read in on the heap potentially leading to
(Spark AR) SegmentationModule::getForegroundPercent information disclosure and an ASLR
defeat
Malicious calling clients can send
Vulnerability 3 Signaling messages sendable over media data
signaling messages P2P that should
(Rsys) channel
be reserved for the server
Out of bounds write on the heap
Incorrect Signed Integer Comparison Leads to
Vulnerability 4 reachable client-to-client during a
OOB Write in
(Rsys) call that can corrupt the heap in a
UnifiedPlanSdpUpdateSerializer::applyDelta
targeted manner
03 Exploitation: Chained Primitives Achieve Remote Code Execution

Send a shared library as an E2EE attachment (Primitive 1)

Ring callee with spoofed caller metadata and heap spray payload
(Primitive 2)

Victim answers the call

Malicious Auto-enable malicious AR effect for all participants (Primitive 3) Victim

Caller Callee

Disclosed Memory Contents

Execute control flow hijack using out of bounds write (Primitive 4)

(Chained with Primitive 1 planted library)

03 Exploitation: Primitive 1

Send a shared library as an E2EE attachment (Primitive 1)

Ring callee with spoofed caller metadata and heap spray payload
(Primitive 2)

Victim answers the call

Malicious Auto-enable malicious AR effect for all participants (Primitive 3) Victim

Caller Callee

Disclosed Memory Contents

Execute control flow hijack using out of bounds write (Primitive 4)

(Chained with Primitive 1 planted library)

03 Exploitation: Primitive 1

Send a shared library as

an E2EE attachment
This primitive exploits E2EE attachments to send a shared
library that is prefetched and stored on to the victim file
system.

Downloaded attachments have a predictable file path on the

victim file system based on SHA256 hash of plaintext
contents
• The exploit knows this path deterministically since it
controls the plaintext contents of the incoming
attachment

The exploit sends the shared library before it initiates the call
to ensure it will be available on the file system before the
control flow hijack
03 Exploitation: Primitive 2

Send a shared library as an E2EE attachment (Primitive 1)

Ring callee with spoofed caller metadata and heap spray payload
(Primitive 2)

Victim answers the call

Malicious Auto-enable malicious AR effect for all participants (Primitive 3) Victim

Caller Callee

Disclosed Memory Contents

Execute control flow hijack using out of bounds write (Primitive 4)

03 Exploitation: Primitive 2

Attacker sends
Ring callee with spoofed
caller metadata
Rsys“Ring Request” signaling message encodes an incoming
call action on Rsys clients
• This is generated by the server after processing a caller
generated “Join Request” signaling message
Inside of the ring request we have the appMessages field:
﹘ Caller controlled vector of (topic, data) pairs carried Victim Receives
from the Join Request
Vulnerability 1: Rsys Apps Vulnerable to Incoming Call
Metadata Spoofing
• appMessages contained the “call_metadata” topic an
attacker could have supplied the caller name and profile
picture URI
﹘ The UI displayed whatever contents were in this field
 03 Exploitation: Primitive 2

Proof of concept code on modified caller client

Victim Client
 03 Exploitation: Primitive 2

Proof of concept code on modified caller client

Topic set to call_metadata

Victim Client
 03 Exploitation: Primitive 2

Proof of concept code on modified caller client

Payload set to spoofed caller
information

Victim Client
 03 Exploitation: Primitive 2

Proof of concept code on modified caller client

DataMessage packaged into
appMessages Thrift payload
and sent to victim client

Victim Client
 03 Exploitation: Primitive 2

Proof of concept code on modified caller client

Victim Client updates call

model with spoofed caller
information

Victim Client
 03 Exploitation: Primitive 2

Proof of concept code on modified caller client

Victim Client updates call

model with spoofed caller
information

Victim Client
03 Exploitation: Scudo Interlude

Interlude: Scudo
Scudo is the default heap allocator used on Android >= 11
• When you call malloc and free on these platforms you are
using scudo

Scudo consists of the following security features:

• Checksum of heap chunk metadata to detect corruption on
free
• Sized base class regions based on requested allocation size
﹘ Guard pages between regions
• Non-determinism
﹘ Randomized selection of chunk to fulfill allocation
within class region

References:
https://www.l3harris.com/newsroom/editorial/2023/10/scudo-hardened-allocator-unofficial-internals-
documentation
https://www.synacktiv.com/en/publications/behind-the-shield-unmasking-scudos-defenses
03 Exploitation: Primitive 2

Ring Callee: MCFData Ring Request

Heap Spraying
Leverage appMessages list in the Ring Request to spray the heap
with attacker controlled data
• appMessages are translated into (MCFString, MCFData) pairs
allocated on the Scudo heap
MCFData
• Attacker has control over data and size
• Many can be supplied in a single request(~1MB max)
• They persist in a call session for the duration of the call
• They are freed when the call ends
MCF types contain a type table pointer
• This will be our corruption target for our control flow hijack
primitive later on in the chain
03 Exploitation: Primitive 2

Ring Callee: MCFData Ring Request

Heap Spraying
Leverage appMessages list in the Ring Request to spray the heap
with attacker controlled data
• appMessages are translated into (MCFString, MCFData) pairs
allocated on the Scudo heap
MCFData
• Attacker has control over data and size
• Many can be supplied in a single request(~1MB max)
• They persist in a call session for the duration of the call
• They are freed when the call ends
MCF types contain a type table pointer
• This will be our corruption target for our control flow hijack
primitive later on in the chain
03 Exploitation: Primitive 2

Ring Callee: MCFData

Heap Spraying

Scudo allocates from a class region in TransferBatches

• Chunks within each TransferBatch are randomly shuffled
• Each TransferBatch is allocated from the Region in a linear
fashion

Spraying many back to back allocations will result in large

contiguous attacker controlled block
03 Exploitation: Primitive 2

Ring Callee: MCFData

Heap Spraying

Scudo allocates from a class region in TransferBatches

• Chunks within each TransferBatch are randomly shuffled
• Each TransferBatch is allocated from the Region in a linear
fashion

Spraying many back to back allocations will result in large

contiguous attacker controlled block
03 Exploitation: Primitive 2

Send a shared library as an E2EE attachment (Primitive 1)

Ring callee with spoofed caller metadata and heap spray payload
(Primitive 2)

Victim answers the call

Malicious Auto-enable malicious AR effect for all participants (Primitive 3) Victim

Caller Callee

Disclosed Memory Contents

Execute control flow hijack using out of bounds write (Primitive 4)

03 Exploitation: Primitive 3

Send a shared library as an E2EE attachment (Primitive 1)

Ring callee with spoofed caller metadata and heap spray payload
(Primitive 2)

Victim answers the call

Malicious Auto-enable malicious AR effect for all participants (Primitive 3) Victim

Caller Callee

Disclosed Memory Contents

Execute control flow hijack using out of bounds write (Primitive 4)

03 Exploitation: Primitive 3

Auto-enable malicious
AR effect to defeat OOB Read Vulnerability Snippet

ASLR
Vulnerability 2: Security vulnerability in
SegmentationModule::getForegroundPercent leads to
information disclosure
• Relative backwards out of bounds read of 32-bit value as
float data type
• Exploited via Group AR effect JavaScript program OOB Read Exploitation by AR Effect

The exploit AR effect uses this to defeat ASLR by identifying a

library address we will use for JOP gadgets
• Challenges
﹘ Not all 32-bit IEEE-754 floats cast cleanly to integers
instead producing NaN
﹘ We don’t know where the heap is or how its structured
at time of vulnerability trigger
03 Exploitation: Primitive 3

Auto-enable malicious MaskId int used to read

foregroundPercent_ vector
OOB in C++

AR effect to defeat OOB Read Vulnerability Snippet

ASLR
Vulnerability 2: Security vulnerability in
SegmentationModule::getForegroundPercent leads to
information disclosure
• Relative backwards out of bounds read of 32-bit value as
float data type
• Exploited via Group AR effect JavaScript program OOB Read Exploitation by AR Effect

The exploit AR effect uses this to defeat ASLR by identifying a

library address we will use for JOP gadgets
• Challenges
﹘ Not all 32-bit IEEE-754 floats cast cleanly to integers
instead producing NaN
﹘ We don’t know where the heap is or how its structured
at time of vulnerability trigger
03 Exploitation: Primitive 3

Auto-enable malicious
AR effect to defeat OOB Read Vulnerability Snippet

ASLR
Vulnerability 2: Security vulnerability in
SegmentationModule::getForegroundPercent leads to
information disclosure
• Relative backwards out of bounds read of 32-bit value as Idx supplied in JS program to
float data type trigger C++ OOB Read
• Exploited via Group AR effect JavaScript program OOB Read Exploitation by AR Effect

The exploit AR effect uses this to defeat ASLR by identifying a

library address we will use for JOP gadgets
• Challenges
﹘ Not all 32-bit IEEE-754 floats cast cleanly to integers
instead producing NaN
﹘ We don’t know where the heap is or how its structured
at time of vulnerability trigger
03 Exploitation: Primitive 3

Auto-enable malicious
AR effect to defeat
ASLR
• We can read two 32-bit floats to get a 64-bit integer
relative out of bounds read.

• We must handle the case where one of the 32-bit floats

does not cast properly producing NaN
﹘ This introduces some reliability issues since we can not
expect a 100% success rate for our reads
03 Exploitation: Primitive 3

Auto-enable malicious
AR effect to defeat
ASLR
Next we must turn the relative 64-bit integer out of bounds
read into a 64-bit arbitrary out of bounds read

Our vector size we are reading OOB from is 12 bytes in size

• Implication: we are indexing relative to allocations 16 bytes
or less based on Scudo bin sizes

Consider our primitive’s behavior relative to this vector base

oob_read(idx) = read32(vector_base + idx * 4)

If we knew the address of our vector base we could turn this

primitive into the following

read32(address) = oob_read((address - vector_base)/4)

03 Exploitation: Primitive 3

Auto-enable malicious
AR effect to defeat
ASLR
How we find our vector base?
• Some objects store the address of their own heap chunk
inside the object.
﹘ For example: linked lists, objects with internal buffers.
• Heuristic
﹘ Scan heap relative to vector looking for self-referential
heap addresses
﹘ Scudo uses tagged pointers: top byte set to 0xb4
﹘ Scudo heap chunks are 16-bit aligned.
﹘ Scudo heap pointers have high entropy, so if we
calculate the entropy of bits [4..39] of the pointer,
we can ignore any low entropy pointers
﹘ Compute candidate vector base address by accounting
for OOB index offset and scanned self-referential heap
address
﹘ Store in a frequency table
﹘ Pick most frequent address as vector base
03 Exploitation: Primitive 3

Auto-enable malicious
AR effect to defeat
ASLR
We now have an arbitrary read and can start searching for a
library we want an address of for JOP gadget computation.
• We will search for libcoldstart.so by identifying MCFData
objects on the heap
﹘ MCFData contains a type table pointer pointing to .data
within libcoldstart.so

To perform the search we first enumerate scudo bins

1. Scan for all heap pointers adjacent to our OOB vector.

2. Use the arbitrary read primitive to read the Scudo chunk
metadata header.
3. Validate that the header is a valid Scudo header.
a. Optionally, check if the following chunk is also a valid
Scudo chunk based on the chunk size.
4. Store the heap address into a list of heap addresses per
Scudo bin.
03 Exploitation: Primitive 3

Auto-enable malicious
AR effect to defeat
ASLR
Now that we have enumerated the scudo bins we can start
looking for MCFData objects in memory to find libcoldstart.so
offsets
• MCFData is convenient to search for since it has a very
predictable structure with expected values in memory
• We now have our ASLR defeat identifying libcoldstart.so
offset through _typeID in scanned object
03 Exploitation: Primitive 3 Iterate over each scudo bin
address and perform search
for MCFData
Auto-enable malicious
AR effect to defeat
ASLR
Now that we have enumerated the scudo bins we can start
looking for MCFData objects in memory to find libcoldstart.so
offsets
• MCFData is convenient to search for since it has a very
predictable structure with expected values in memory
• We now have our ASLR defeat identifying libcoldstart.so
offset through _typeID in scanned object
03 Exploitation: Primitive 3
Pattern match the scanned

Auto-enable malicious memory for MCFData

expected values (TypeID
offset + reasonable ref
AR effect to defeat counts)

ASLR
Now that we have enumerated the scudo bins we can start
looking for MCFData objects in memory to find libcoldstart.so
offsets
• MCFData is convenient to search for since it has a very
predictable structure with expected values in memory
• We now have our ASLR defeat identifying libcoldstart.so
offset through _typeID in scanned object
03 Exploitation: Primitive 3

Auto-enable malicious
AR effect: Controlled Spray Uint8Array

object placement
The exploit requires the AR effect to allocate an object
structured in a certain way that we can use in our subsequent
JOP chain
• The effect sprays objects on the heap using Uint8 arrays
and identifies them using the arbitrary read
• Then the effects modifies one of the objects with controlled
data for the JOP chain representing a fake MCFRuntime
class

After the address of the controlled object is obtained using the

arbitrary read primitive the AR effect sends both the
libcoldstart.so offset and the object address to the malicious
client
• This is accomplished using the multipeer feature which
sends the data over the network
03 Exploitation: Primitive 3

Auto-enable malicious
AR effect: Controlled Use arbitrary read to located sprayed
objects
object placement
The exploit requires the AR effect to allocate an object
structured in a certain way that we can use in our subsequent
JOP chain
• The effect sprays objects on the heap using Uint8 arrays
and identifies them using the arbitrary read
• Then the effects modifies one of the objects with controlled
data for the JOP chain representing a fake MCFRuntime
class

After the address of the controlled object is obtained using the

arbitrary read primitive the AR effect sends both the
libcoldstart.so offset and the object address to the malicious
client
• This is accomplished using the multipeer feature which
sends the data over the network
03 Exploitation: Primitive 3

Auto-enable malicious
AR effect: Controlled Overwrite sprayed objects with JOP chain payload

object placement
The exploit requires the AR effect to allocate an object
structured in a certain way that we can use in our subsequent
JOP chain
• The effect sprays objects on the heap using Uint8 arrays
and identifies them using the arbitrary read
• Then the effects modifies one of the objects with controlled
data for the JOP chain representing a fake MCFRuntime
class

After the address of the controlled object is obtained using the

arbitrary read primitive the AR effect sends both the
libcoldstart.so offset and the object address to the malicious
client
• This is accomplished using the multipeer feature which
sends the data over the network
03 Exploitation: Primitive 3

Auto-enable malicious
AR effect: Controlled
object placement Leak object addresses over the network using Multipeer
The exploit requires the AR effect to allocate an object
structured in a certain way that we can use in our subsequent
JOP chain
• The effect sprays objects on the heap using Uint8 arrays
and identifies them using the arbitrary read
• Then the effects modifies one of the objects with controlled
data for the JOP chain representing a fake MCFRuntime
class

After the address of the controlled object is obtained using the

arbitrary read primitive the AR effect sends both the
libcoldstart.so offset and the object address to the malicious
client
• This is accomplished using the multipeer feature which
sends the data over the network
03 Exploitation: Primitive 4

Send a shared library as an E2EE attachment (Primitive 1)

Ring callee with spoofed caller metadata and heap spray payload
(Primitive 2)

Victim answers the call

Malicious Auto-enable malicious AR effect for all participants (Primitive 3) Victim

Caller Callee

Disclosed Memory Contents

Execute control flow hijack using out of bounds write (Primitive 4)

03 Exploitation: Primitive 4

Execute control flow

hijack using out of
bounds write
Out of bounds write requires two vulnerabilities
03 Exploitation: Primitive 4

Execute control flow

hijack using out of
bounds write
Out of bounds write requires two vulnerabilities

Vulnerability 3: Signaling messages sendable over media data

channel
• Capped at 1024 bytes per send over RTP data channel
• One-shot per call due to state machine alterations
03 Exploitation: Primitive 4

Execute control flow

hijack using out of
bounds write Vulnerability 3: Thrift
Signaling Message Payload
Out of bounds write requires two vulnerabilities

Vulnerability 3: Signaling messages sendable over media data

channel
• Capped at 1024 bytes per send over RTP data channel
• One-shot per call due to state machine alterations
03 Exploitation: Primitive 4

Execute control flow

hijack using out of
bounds write
Out of bounds write requires two vulnerabilities

Vulnerability 3: Signaling messages sendable over media data

channel
• Capped at 1024 bytes per send over RTP data channel
• One-shot per call due to state machine alterations

Vulnerability 4: Incorrect Signed Integer Comparison Leads to

OOB Write in UnifiedPlanSdpUpdateSerializer::applyDelta
• Reachable using SessionDescriptionUpdate signaling
payload from Vulnerability 3
• Backwards relative from from std::vector base
• Controlled index up to signed int min
• Controlled values written out of bounds
﹘ 3x std::string overwrite
03 Exploitation: Primitive 4

Execute control flow

hijack using out of
Vulnerability 4: OOB Write
bounds write Snippet

Out of bounds write requires two vulnerabilities

Vulnerability 3: Signaling messages sendable over media data

channel
• Capped at 1024 bytes per send over RTP data channel
• One-shot per call due to state machine alterations

Vulnerability 4: Incorrect Signed Integer Comparison Leads to

OOB Write in UnifiedPlanSdpUpdateSerializer::applyDelta
• Reachable using SessionDescriptionUpdate signaling
payload from Vulnerability 3
• Backwards relative from from std::vector base
• Controlled index up to signed int min
• Controlled values written out of bounds
﹘ 3x std::string overwrite
03 Exploitation: Primitive 4

Execute control flow

hijack using out of
Position Negative i32 from
bounds write Thrift results in OOB vector
reference
Out of bounds write requires two vulnerabilities

Vulnerability 3: Signaling messages sendable over media data

channel
• Capped at 1024 bytes per send over RTP data channel
• One-shot per call due to state machine alterations

Vulnerability 4: Incorrect Signed Integer Comparison Leads to

OOB Write in UnifiedPlanSdpUpdateSerializer::applyDelta
• Reachable using SessionDescriptionUpdate signaling
payload from Vulnerability 3
• Backwards relative from from std::vector base
• Controlled index up to signed int min
• Controlled values written out of bounds
﹘ 3x std::string overwrite
03 Exploitation: Primitive 4

Execute control flow

hijack using out of
3x std::string OOB write
bounds write relative to vector base

Out of bounds write requires two vulnerabilities

Vulnerability 3: Signaling messages sendable over media data

channel
• Capped at 1024 bytes per send over RTP data channel
• One-shot per call due to state machine alterations

Vulnerability 4: Incorrect Signed Integer Comparison Leads to

OOB Write in UnifiedPlanSdpUpdateSerializer::applyDelta
• Reachable using SessionDescriptionUpdate signaling
payload from Vulnerability 3
• Backwards relative from from std::vector base std::string short
• Controlled index up to signed int min string optimization
• Controlled values written out of bounds constructs in place
﹘ 3x std::string overwrite (0x17 data + 0x1
byte of size)
03 Exploitation: Primitive 4

Control flow hijack using

out of bounds write
The exploit can perform the out of bounds write but now the
question is “What do we corrupt?”
• Answer: The sprayed MCFData objects from Primitive 2

The sprayed MCFData objects are sized such that they are
allocated in the same Scudo region (0x160) as the indexed
vector
• Note: Scudo is non deterministic
﹘ Exploit is not 100% reliable
﹘ We increased probability of success by spraying
many MCFData objects

The exploit structures the overwrite to corrupt a type table

pointer in an MCFData object to point to the controlled object
from Primitive 3 (ARFX)
﹘ At call end, the object will be freed calling a fake finalize
function pointer specified in the controlled object
03 Exploitation: Primitive 4

Control flow hijack using Corruption Target is a Sprayed

MCFData object

out of bounds write

The exploit can perform the out of bounds write but now the
question is “What do we corrupt?”
• Answer: The sprayed MCFData objects from Primitive 2

The sprayed MCFData objects are sized such that they are
allocated in the same Scudo region (0x160) as the indexed
vector
• Note: Scudo is non deterministic
﹘ Exploit is not 100% reliable
﹘ We increased probability of success by spraying
many MCFData objects

The exploit structures the overwrite to corrupt a type table

pointer in an MCFData object to point to the controlled object
from Primitive 3 (ARFX)
﹘ At call end, the object will be freed calling a fake finalize
function pointer specified in the controlled object
03 Exploitation: Primitive 4

Control flow hijack using Corruption Target is a Sprayed

MCFData object
Fake Type Table in ARFX placed

out of bounds write object

The exploit can perform the out of bounds write but now the
question is “What do we corrupt?”
• Answer: The sprayed MCFData objects from Primitive 2

The sprayed MCFData objects are sized such that they are
allocated in the same Scudo region (0x160) as the indexed
vector
• Note: Scudo is non deterministic
﹘ Exploit is not 100% reliable
﹘ We increased probability of success by spraying
many MCFData objects

The exploit structures the overwrite to corrupt a type table

pointer in an MCFData object to point to the controlled object
from Primitive 3 (ARFX)
﹘ At call end, the object will be freed calling a fake finalize
function pointer specified in the controlled object
03 Exploitation: Primitive 4

Control flow hijack using Corruption Target is a Sprayed

MCFData object
Fake Type Table in ARFX placed

out of bounds write object

The exploit can perform the out of bounds write but now the
question is “What do we corrupt?”
• Answer: The sprayed MCFData objects from Primitive 2

The sprayed MCFData objects are sized such that they are
allocated in the same Scudo region (0x160) as the indexed
vector
• Note: Scudo is non deterministic
﹘ Exploit is not 100% reliable
﹘ We increased probability of success by spraying
many MCFData objects Hijacked finalize fptr

The exploit structures the overwrite to corrupt a type table

pointer in an MCFData object to point to the controlled object
from Primitive 3 (ARFX)
﹘ At call end, the object will be freed calling a fake finalize
function pointer specified in the controlled object
03 Exploitation: Primitive 4

Control flow hijack using Corruption Target

Fake Type Table in ARFX placed

out of bounds write object

The exploit can perform the out of bounds write but now the
question is “What do we corrupt?”
• Answer: The sprayed MCFData objects from Primitive 2

The sprayed MCFData objects are sized such that they are
allocated in the same Scudo region (0x160) as the indexed
vector
• Note: Scudo is non deterministic
﹘ Exploit is not 100% reliable
﹘ We increased probability of success by spraying
many MCFData objects Hijacked finalize fptr

The exploit structures the overwrite to corrupt a type table

pointer in an MCFData object to point to the controlled object
from Primitive 3 (ARFX) Hijacked finalize fptr
called on object
﹘ At call end, the object will be freed calling a fake finalize destruction at end of call
function pointer specified in the controlled object
03 Exploitation: Primitive 4
MCFData Object Overwrite
Scudo Class Region 0x160

Index Base

std::vector<MediaDescriptionUpdate>

Sprayed MCF Data Objects from Primitive 2

03 Exploitation: Primitive 4
MCFData Object Overwrite
Scudo Class Region 0x160
Negative Index (selected
from offline sampling of
exploit success) * 0x50

Index Base

std::vector<MediaDescriptionUpdate>

Sprayed MCF Data Objects from Primitive 2

03 Exploitation: Primitive 4
MCFData Object Overwrite
Scudo Class Region 0x160
Negative Index (selected
from offline sampling of
exploit success) * 0x50

Index Base

std::vector<MediaDescriptionUpdate>

Sprayed MCF Data Objects from Primitive 2

03 Exploitation: Primitive 4
MCFData Object Overwrite
Scudo Class Region 0x160
Negative Index (selected
from offline sampling of
Overwrite must be offset exploit success) * 0x50
to overwrite MCFData
typeID but not fields that Index Base
will break execution

std::vector<MediaDescriptionUpdate>

Sprayed MCF Data Objects from Primitive 2

03 Exploitation: Primitive 4
MCFData Object Overwrite
Scudo Class Region 0x160
Negative Index (selected
from offline sampling of
Overwrite must be offset exploit success) * 0x50
to overwrite MCFData
typeID but not fields that Index Base
will break execution

std::vector<MediaDescriptionUpdate>

Sprayed MCF Data Objects from Primitive 2 Point type table to fake
MCFRuntimeClass
allocated by ARFX
03 Exploitation: Primitive 4

JOP Chain to Stage 1 Payload

03 Exploitation: Primitive 4

JOP Chain to Stage 1 Payload

MCFRelease
decrements ref count
to 0 and calls
corrupted finalize()
function pointer
 03 Exploitation: Primitive 4

JOP Chain to Stage 1 Payload ldr x8, [x19]

Places start of fake object into x8

x19 points to the start of the

overwritten MCFData
object
03 Exploitation: Primitive 4

JOP Chain to Stage 1 Payload ldp x0, x9, [x8, #0x110]

Places dlopen path into x0
Places dlopen gadget into x9

x0 dlopen
path
x9 dlopen
gadget
03 Exploitation: Primitive 4

JOP Chain to Stage 1 Payload

03 Exploitation: Primitive 4

JOP Chain to Stage 1 Payload dlopen loads the library path from
Primitive 1 achieving RCE
03 Exploitation: Primitive 4

Stage 1 Payload: RevShell

DEMO
04 Mitigations
04 Mitigations
Exploitation
provides
defensive
insight
Building the exploit allowed us to
identify 15+ security engineering
outcomes to harden both Messenger for
Android as well as the larger Meta
Family of Apps. These engineering tasks
would not have been obvious unless we
had actually gone through the effort of
building the exploit.
Title
Prevent Direct dlopen of E2EE Files
Libcpp Hardening to Mitigate OOB
STL Accesses
Improve App Message Handling in
Server Side Infrastructure
Msys Memory Isolation for MCF
Types
Closing gap in CFI icall protection
Mitigation Details
Hook dlopen in app to prevent dynamic
loads of E2EE file attachment paths.
Deploy libc++ hardening to mitigate issues
like Vulnerabilities 2 and 4 from being
exploitable
Remove the 0-click heap spraying primitive
by hardening server side validation logic
Isolate Msys allocations from the system
heap to make them harder to target for
corruption
Restricts jump oriented programming
attacks by protecting MCF function pointer
calls
04 Mitigations
Exploitation
provides
defensive
insight
Building the exploit allowed us to
identify 15+ security engineering
outcomes to harden both Messenger for
Android as well as the larger Meta
Family of Apps. These engineering tasks
would not have been obvious unless we
had actually gone through the effort of
building the exploit.
Title
Prevent Direct dlopen of E2EE Files
Libcpp Hardening to Mitigate OOB
STL Accesses
Improve App Message Handling in
Server Side Infrastructure
Msys Memory Isolation for MCF
Types
Closing gap in CFI icall protection
Mitigation Details
Hook dlopen in app to prevent dynamic
loads of E2EE file attachment paths.
Deploy libc++ hardening to mitigate issues
like Vulnerabilities 2 and 4 from being
exploitable
Remove the 0-click heap spraying primitive
by hardening server side validation logic
Isolate Msys allocations from the system
heap to make them harder to target for
corruption
Restricts jump oriented programming
attacks by protecting MCF function pointer
calls
04 Mitigations
Exploitation
provides
defensive
insight
Building the exploit allowed us to
identify 15+ security engineering
outcomes to harden both Messenger for
Android as well as the larger Meta
Family of Apps. These engineering tasks
would not have been obvious unless we
had actually gone through the effort of
building the exploit.
Title
Prevent Direct dlopen of E2EE Files
Libcpp Hardening to Mitigate OOB
STL Accesses
Improve App Message Handling in
Server Side Infrastructure
Msys Memory Isolation for MCF
Types
Closing gap in CFI icall protection
Mitigation Details
Hook dlopen in app to prevent dynamic
loads of E2EE file attachment paths.
Deploy libc++ hardening to mitigate issues
like Vulnerabilities 2 and 4 from being
exploitable
Remove the 0-click heap spraying primitive
by hardening server side validation logic
Isolate Msys allocations from the system
heap to make them harder to target for
corruption
Restricts jump oriented programming
attacks by protecting MCF function pointer
calls
04 Mitigations
Exploitation
provides
defensive
insight
Building the exploit allowed us to
identify 15+ security engineering
outcomes to harden both Messenger for
Android as well as the larger Meta
Family of Apps. These engineering tasks
would not have been obvious unless we
had actually gone through the effort of
building the exploit.
Title
Prevent Direct dlopen of E2EE Files
Libcpp Hardening to Mitigate OOB
STL Accesses
Improve App Message Handling in
Server Side Infrastructure
Msys Memory Isolation for MCF
Types
Closing gap in CFI icall protection
Mitigation Details
Hook dlopen in app to prevent dynamic
loads of E2EE file attachment paths.
Deploy libc++ hardening to mitigate issues
like Vulnerabilities 2 and 4 from being
exploitable
Remove the 0-click heap spraying primitive
by hardening server side validation logic
Isolate Msys allocations from the system
heap to make them harder to target for
corruption
Restricts jump oriented programming
attacks by protecting MCF function pointer
calls
04 Mitigations
Exploitation
provides
defensive
insight
Building the exploit allowed us to
identify 15+ security engineering
outcomes to harden both Messenger for
Android as well as the larger Meta
Family of Apps. These engineering tasks
would not have been obvious unless we
had actually gone through the effort of
building the exploit.
Title
Prevent Direct dlopen of E2EE Files
Libcpp Hardening to Mitigate OOB
STL Accesses
Improve App Message Handling in
Server Side Infrastructure
Msys Memory Isolation for MCF
Types
Closing gap in CFI icall protection
Mitigation Details
Hook dlopen in app to prevent dynamic
loads of E2EE file attachment paths.
Deploy libc++ hardening to mitigate issues
like Vulnerabilities 2 and 4 from being
exploitable
Remove the 0-click heap spraying primitive
by hardening server side validation logic
Isolate Msys allocations from the system
heap to make them harder to target for
corruption
Restricts jump oriented programming
attacks by protecting MCF function pointer
calls
04 Mitigations
Exploitation
provides
defensive
insight
Building the exploit allowed us to
identify 15+ security engineering
outcomes to harden both Messenger for
Android as well as the larger Meta
Family of Apps. These engineering tasks
would not have been obvious unless we
had actually gone through the effort of
building the exploit.
Title
Prevent Direct dlopen of E2EE Files
Libcpp Hardening to Mitigate OOB
STL Accesses
Improve App Message Handling in
Server Side Infrastructure
Msys Memory Isolation for MCF
Types
Closing gap in CFI icall protection
Mitigation Details
Hook dlopen in app to prevent dynamic
loads of E2EE file attachment paths.
Deploy libc++ hardening to mitigate issues
like Vulnerabilities 2 and 4 from being
exploitable
Remove the 0-click heap spraying primitive
by hardening server side validation logic
Isolate Msys allocations from the system
heap to make them harder to target for
corruption
Restricts jump oriented programming
attacks by protecting MCF function pointer
calls
 Exploitation can be used as a defensive
exercise to harden products

All vulnerabilities presented in this talk

Takeaways have been fixed

Participate in Meta’s bug bounty program

to earn monetary rewards up to $300k
● WhatsApp in scope for Pwn2Own Ireland
October 22–25, 2024
 Thanks! Questions?
Resources:
1. https://engineering.fb.com/2023/09/12/security/meta-quest-2-defense-through-offense/
2. https://www.facebook.com/whitehat - Meta Bug Bounty

Andrew Calvano Octavian Guzu Ryan Hall Special Mention: Sampriti Panda, for his help in the
Meta Product Security Meta Product Security Meta Red Team X exercise