Allele Security Alert
ASA-2019-00555
Identifier(s)
ASA-2019-00555, CVE-2019-17191
Title
Incoming call can be connected without user interaction
Vendor(s)
Signal Messenger LLC
Product(s)
Signal Private Messenger
Affected version(s)
Signal Private Messenger for Android before version 4.47.7
Fixed version(s)
Signal Private Messenger for Android version 4.47.7
Proof of concept
Unknown
Description
The Signal Private Messenger application before 4.47.7 for Android allows a caller to force a call to be answered, without callee user interaction, via a connect message. The existence of the call is noticeable to the callee; however, the audio channel may be open before the callee can block eavesdropping.
Technical details
There is a logic error in Signal that can cause an incoming call to be answered even if the callee does not pick it up.
In the Android client, there is a method handleCallConnected that causes the call to finish connecting. During normal use, it is called in two situations: when callee device accepts the call when the user selects ‘accept’, and when the caller device receives an incoming “connect” message indicating that the callee has accepted the call. Using a modified client, it is possible to send the “connect” message to a callee device when an incoming call is in progress, but has not yet been accepted by the user. This causes the call to be answered, even though the user has not interacted with the device. The connected call will only be an audio call, as the user needs to manually enable video in all calls. The iOS client has a similar logical problem, but the call is not completed due to an error in the UI caused by the unexpected sequence of states. I would recommend improving the logic in both clients, as it is possible the UI problem doesn’t occur in all situations.
To reproduce this problem on the Android client, replace the method handleSetMuteAudio in the file WebRtcCallService.java with the following method.
private void handleSetMuteAudio(Intent intent) {
Log.e(TAG, "SENDING MESSAGE");
this.dataChannel.send(new DataChannel.Buffer(ByteBuffer.wrap(Data.newBuilder().setConnected(Connected.newBuilder().setId(this.callId)).build().toByteArray()), false));
intent.putExtra(EXTRA_CALL_ID, this.callId);
intent.putExtra(EXTRA_REMOTE_ADDRESS, recipient.getAddress());
handleCallConnected(intent);
}
Then build the client and install it and make a call. When the call is ringing, the audio mute button can be pressed to force the callee device to connect, and audio from the callee device will be audible.
Credits
Natalie Silvanovich (Google Project Zero)
Reference(s)
Issue 1943: Signal: Incoming call can be connected without user interaction
https://bugs.chromium.org/p/project-zero/issues/detail?id=1943
Localize call audio and video activation code
https://github.com/signalapp/Signal-Android/commit/e58823f4698dec5ecb2af0d0a75181b07d3378b1
CVE-2019-17191
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17191
CVE-2019-17191
https://nvd.nist.gov/vuln/detail/CVE-2019-17191
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 9, 2019