Hi, I think this duplicate ticket is important. I write this proof of concept privately because I think it's serious, and I hope someone fixes the issue.
The victim has got an Androd phone, where there are installed WhatsApp and Firefox. Firefox is the victim's default browser. To see a received file on WhatsApp you have to download it and save it on your storage. In Android, WhatsApp saves all data in the path /sdcard/WhatsApp/Media, where there are different subdirectories. For example, the received documents via WhatsApp are saved in /sdcard/WhatsApp/Media/WhatsApp Documents/, the sent documents are saved in /sdcard/WhatsApp/Media/WhatsApp Documents/Sent/. Now, the received documents are saved with their original name, so if a contact sends to you a file called document.pdf you will find it in /sdcard/WhatsApp/Media/WhatsApp Documents/document.pdf. Instead the sent documents are stored in the subdirectory Sent with another name, and WhatsApp chooses this name by following an easy schema: DOC-YYYYMMDD-WAXXXX.ext, where YYYYMMDD is the date you have sent the document, XXXX is a ordered number (as 0000, 0001, 0002, etc) and ext is the extension of the file, it is not usually changed by WhatsApp. So it is a neat environment.
Proof of Concept
- The attacker creates a server, where the victim's data will be sent. In this server they put the two files base64.php and image.txt
- The attacker sends to the victim the malicious HTM file PoCfinale.htm via WhatsApp
- The victim opens it with Firefox, and Firefox runs the code
- PoCfinale.html steals the data in the subdirectory /Sent/, by converting them in base64
- The data are sent to the attacker's server as base64 strings and stored in image.txt
- The attacker uses PoC.py to convert the data stored in image.txt into PDF
- Poc.zip, where you can find there files: PoC.py, to convert the data stored in image.txt into PDF, image.txt, base64.php, test1.pdf and PoCfinale.htm, the malicious payload. In the PoCfinale.htm there are four variables: yyyy, mm, dd and h. So if you want to steal the first five victim's sent documents in the date 2019/06/29 (YYYY/MM/DD) you have to set the HTM file with these variable: yyyy = '2019', mm = '06', dd = '30' (your day +1) and h = 4.
- A video proof-of-concept
How to reproduce
- You put in your server the base64.php and image.txt
- With the victim's phone you send the file test1.pdf to someone (I suggest to send it like first document of the day, so in the name there will be WA0000 and so you can set the parameter h equal to 1)
- With the attacker's phone you send PoCfinale.htm to the victim, and you open it using Firefox on the victim's phone
- Using PoC.py to decode the file image.txt
I hope to have been clear, I think it is a serious problem, in my example there is WhatsApp, but probabily it is reproduced with other apps that store data in similar way. I have not tested this bug with a SVG file, but I think it can work. The ticket 803143 is very old, I think that someone can have used this bug in the past, so I think it can be useful say to not open HTM file received via WhatsApp with Firefox.
Sorry for my English.