29 October 2019

Bluekeep, WhatsApp and the spate of RCE Exploits

2019 has seen a surge in software vulnerability issues, most noticeably coming from Windows and Whatsapp. One of our Technical Consultants, Matthew Twells, shares insight on the Bluekeep vulnerability, the software issues in WhatsApp and the spate of RCE (Remote Code Execution/Remote Command Execution) exploits.

Usually the process goes like this…

You’re a bug hunter or a security researcher and you’ve picked your target. You spend a few weeks or even months combing through code and tampering with every input field you can find, looking for a way in. Or better yet, a way to re-purpose your target to do something it shouldn’t.

Sometimes, you can’t find anything worth writing home about, and you move on. But let’s say you do find something – something that lets you either break right through into the inner workings of a program or even control it yourself remotely.

What you’ve got there is called a Remote Code Execution or Remote Command Execution (RCE) vulnerability, the jackpot prize of any bug bounty hunter. What you do with that next depends entirely what side of the law you want to stay on.

A long-standing tradition of responsible disclosure to the vendor, waiting for a response and hopefully a monetary reward of some description is usually what happens next. It’s the entire business model of companies like HackerOne and BugCrowd – outsourcing security research and code review to the masses.

Once the vendor has had chance to make their fixes and (hopefully) pay out the reward, usually that vulnerability gets given a CVE (Common Vulnerabilities and Exposures) number and is officially added to security databases worldwide.

You get to put a CVE discovery to your name, have some money in the bank (or sometimes just a t-shirt, depending on how cheap your target company is) and you’ve made the internet a safer place – warm fuzzy feelings all round!

Or, you don’t tell anyone. You either use the vulnerability you’ve discovered against the target company or sell the exploit code on the Dark Web (RCE vulnerabilities are worth five figures or more depending on the target). You generally clean out your target’s private and customer data and re-purpose that information to repeat the process on bigger and better prey until you get caught and go to prison. (Note: We obviously do not recommend or condone this)

This might all sound very far away, and not at all connected to your day to day life – but trust us when we say that it very much is. 2019 has been a bumper year for this sort of activity, and that’s only counting those that decided to go the responsible, legal route afterwards!

The software affects millions of internet and technology users and we virtually guarantee you’re using at least one of the applications that have been breached this year. Let’s start with Windows.

Bluekeep (2019-0708) is the common name for a critical RCE vulnerability in a protocol every single Windows computer has called Remote Desktop Protocol (RDP). Usually this is used by technical support professionals or your IT manager to save time or enact more technical fixes that are hard to explain over the phone. It’s part of the suite of protocols that the Windows operating system supports and is definitely at the least on your Windows PC, if you have one.

Bluekeep lets a remote user (could be the other side of the world) connect to your computer via RDP and make specially crafted requests to your computer. Your computer interprets these requests as legitimate and the attacker gets to execute whatever they like on your computer. This means everything you have on that affected computer is up for grabs – documents, pictures, details, saved passwords – all of it can be viewed, changed or stolen.

Not convinced yet? How about WhatsApp?


2019 has not been a great year for the “privacy-focused” messenger application – with not one, but two major vulnerabilities found in its code.

The first was an attack (CVE-2019-3568) that could remotely install surveillance software on smartphones, simply by calling the victim’s phone. The WhatsApp call doesn’t have to be answered and the attack will erase the call logs, so you won’t be able to trace the attacker back. This worked by exploiting a bug in the part of the application that dealt with translating your voice into data to send rigged requests to the target phone, and abusing how WhatsApp responds to them to install software that can monitor your calls and execute commands on your phone without your knowledge.

This means phone-tapping, message stealing and password theft all become possibilities once remote code execution has been established.

The second is an attack that resulted in the victim’s phone being compromised by just sending a corrupted GIF to the victim, and then waiting for them to open up their gallery.

The internet’s favourite method of responding sarcastically to Facebook comments, ironically re-purposed to attack an app owned by Facebook. A Singaporean security researcher calling himself Awakened, discovered this bug and released a now-infamous video showing him demonstrating this attack on a phone using WhatsApp, controlling the phone via his laptop and hopefully scaring most of the people watching to immediately update their phones.

If you want to see the video, you can watch it here.

Exim, a business email application with millions of users experienced a similar RCE vulnerability discovered in the last few months, and the list truly does go on, and on, and on… And that’s just in 2019!

There are thousands of people whose livelihood depends on cracking into the software you use every day, not all of them are on the right side of the law. Patch your systems and update your phones. Make a hacker’s life more difficult by making your network and personal life a little more secure.