■■■■■ Here’s a full technical rewrite of the WhatsApp vs. NSO Group spyware case, focusing on CVE-2019-3568, its exploitation logic, and WhatsApp’s patch implementation:
➿➿
CVE-2019-3568 – WhatsApp VoIP Stack RCE
Exploit Summary
CVE-ID: CVE-2019-3568
Vulnerability Type: Memory corruption – heap-based buffer overflow
Attack Vector:
Remote, via malformed RTCP (Real-time Transport Control Protocol) packets sent during a WhatsApp voice call
Impact:
Remote Code Execution (RCE) in WhatsApp process without user interaction (zero-click)
Platform:
Android and iOS WhatsApp clients
Patched:WhatsApp v2.19.134 (Android) and v2.19.51 (iOS), May 2019.
➿➿
Exploitation Logic
1. Target Surface
Exploit leverages the libSRTP-based VoIP stack, which handles RTCP packets used for session feedback and control in encrypted voice calls.
RTCP parsing logic failed to sanitize certain control fields, especially those related to extended report block lengths and payload types.
2. Exploit Algorithm Flow
1. Attacker initiates WhatsApp voice call to target (call never needs to be answered).
2. During SIP/VoIP session setup, attacker injects a malformed RTCP packet:
– Payload includes an extended report (XR) with a length field that causes heap corruption.
– The data pointer is shifted to point into a controlled heap region.
3. Heap spray is used prior to the call to fill memory with ROP gadgets or shellcode.
4. WhatsApp’s VoIP thread parses the corrupted RTCP payload:
– Triggers a buffer overflow
– Hijacks return address via overwritten heap metadata
5. Final stage loader downloads and injects the Pegasus spyware binary into user space.
➿➿
Vulnerability Root Cause
A lack of proper bounds checking in srtp_unprotect() when handling compound RTCP packet lengths.
Specifically, incorrect handling of:
block_length in XR headers
packet size mismatch vs actual read buffer
ASLR and DEP were bypassed using dynamic heap shaping and ROP chains tailored to the victim’s device/OS version.
➿➿
Patch Details (May 2019)
WhatsApp Patch Analysis
Introduced stricter validation in the VoIP media engine:
Validated block_length and total_length fields in RTCP/XR headers
Rejected malformed RTCP packets that exceeded expected control sizes
Recompiled the VoIP library with stack canaries, PIE, RELRO, and hardened malloc on Android and iOS
Moved critical parsing logic out of untrusted network threads into a sandboxed process (in newer versions)
Net Result
Fully blocked the RTCP overflow path
Rendered Pegasus’s existing payload delivery channel ineffective
Led NSO to shift to other attack chains (like the “Heaven” WhatsApp impersonation method)
➿➿
Notable Tools Used by NSO Group
Tool Purpose
🤍WIS WhatsApp impersonator client (Heaven)
🤍Q&Q Toolset RTCP generator and packet modifier
🤍Pegasus Final payload with device takeover
🤍TraceStitch Heap layout prediction & ROP generator
➿➿
Forensics Indicators
Malformed rtcp packets seen in logs: unusual XR block types and lengths.
WhatsApp crash logs showing access violation in libwhatsapp.so VoIP thread.
Outbound connections to AWS/Vultr endpoints post-exploitation.