CVE-2019-18800

Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim's device contains cleartext information such as the device model and OS version, IMSI, and 20 bytes of udid in a binary format, which is located at offset 0x14 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone number, but doesn't enter a pin from SMS. Instead, he closes Viber. Next, the attacker rewrites his udid with the victim's udid, modifying the viber_udid file, which is located in the Viber preferences folder. (The udid is stored in a hexadecimal format.) Finally, the attacker starts Viber again and enters the pin from SMS.

CVSS v3 8.8 HIGH
CVSS v2.0 4.3 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://thesamarkand.tumblr.com/post/188785277609/viber-messenger-remote-account-reset-0day	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rakuten:viber:*:*:*:*:*:android:*:*

History

No history.

Information

Published : 2019-11-06 16:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-18800

Mitre link : CVE-2019-18800

CVE.ORG link : CVE-2019-18800

JSON object : View

Products Affected

rakuten

viber

CWE

CWE-311

Missing Encryption of Sensitive Data

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2019-18800", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-11-06T16:15:10.993", "references": [{"url": "https://thesamarkand.tumblr.com/post/188785277609/viber-messenger-remote-account-reset-0day", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-311"}, {"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "Viber through 11.7.0.5 allows a remote attacker who can capture a victim's internet traffic to steal their Viber account, because not all Viber protocol traffic is encrypted. TCP data packet 9 on port 4244 from the victim's device contains cleartext information such as the device model and OS version, IMSI, and 20 bytes of udid in a binary format, which is located at offset 0x14 of this packet. Then, the attacker installs Viber on his device, initiates the registration process for any phone number, but doesn't enter a pin from SMS. Instead, he closes Viber. Next, the attacker rewrites his udid with the victim's udid, modifying the viber_udid file, which is located in the Viber preferences folder. (The udid is stored in a hexadecimal format.) Finally, the attacker starts Viber again and enters the pin from SMS."}, {"lang": "es", "value": "Viber hasta la versi\u00f3n 11.7.0.5 permite a un atacante remoto que puede capturar el tr\u00e1fico de Internet de una v\u00edctima robar su cuenta de Viber, porque no todo el tr\u00e1fico del protocolo de Viber est\u00e1 encriptado. El paquete de datos TCP 9 en el puerto 4244 del dispositivo de la v\u00edctima contiene informaci\u00f3n de texto claro, como el modelo del dispositivo y la versi\u00f3n del sistema operativo, IMSI, y 20 bytes de udid en formato binario, que se encuentra en el desplazamiento 0x14 de este paquete. Luego, el atacante instala Viber en su dispositivo, inicia el proceso de registro para cualquier n\u00famero de tel\u00e9fono, pero no ingresa un pin de SMS. En cambio, cierra Viber. Luego, el atacante reescribe su udid con el udid de la v\u00edctima, modificando el archivo viber_udid, que se encuentra en la carpeta de preferencias de Viber. (El udid se almacena en un formato hexadecimal). Finalmente, el atacante inicia Viber nuevamente e ingresa el pin desde SMS."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rakuten:viber:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "3EA36533-3061-435D-B434-24A56B1833C8", "versionEndIncluding": "11.7.0.5"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}