Threat Research

Tencent WeChat Custom Browser Vulnerability Enables Remote Code Execution

Talos

Two-sentence summary: A type confusion vulnerability in WeChat’s custom WebView (CVE-2023-3420) could allow remote code execution when a user clicks a malicious link. Cisco Talos found that while the V8 engine patch was delivered in June 2023, the WeChat WebView component was not updated, leaving versions up to 8.0.42 at risk; users should update and verify link sources. #CVE-2023-3420 #WeChat #Tencent #CiscoTalos #XWalk #V8

Keypoints

  • CVE-2023-3420 is a type confusion vulnerability in WeChat’s custom WebView component.
  • The V8 engine patch was disclosed and patched in June 2023, but the WeChat WebView component was not updated.
  • Talos confirms the issue affects WeChat versions up to 8.0.42.
  • The exploit is triggered when a user clicks a malicious link in WeChat, loading a webpage inside XWalk.
  • Threat actors can gain control of the victim’s device and execute arbitrary code.
  • CVSSv3 score is 8.8, indicating high severity.
  • Recommendations: update WeChat to the latest version and verify link sources before clicking; avoid untrusted links.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The exploit is triggered when a user clicks a malicious link in WeChat. “The exploit, which we have seen in the wild, is triggered when the victim clicks a URL in a malicious WeChat message.”
  • [T1203.001] Remote Code Execution – The exploit allows the threat actor to gain control of the victim’s device and execute arbitrary code. “The exploit allows the threat actor to gain control of the victim’s device and execute arbitrary code.”

Indicators of Compromise

  • [File Path] WeChat custom WebView binaries – /data/data/com.tencent.mm/app_xwalk_4433/apk/base.apk and /data/data/com.tencent.mm/app_xwalk_4433/extracted_xwalkcore/libxwebcore.so
  • [Version] Affected WeChat version – 8.0.42
  • [User Agent] Example user agent string observed in requests – Mozilla/5.0 (Linux; Android 14; Pixel 6 Build/UQ1A.240105.002; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.99 XWEB/4433 MMWEBSDK/20230805 Mobile Safari/537.36 MMWEBID/2247 MicroMessenger/8.0.42.2428(0x28002A48) WeChat/arm64 Weixin GPVersion/1 NetType/4G Language/en ABI/arm64
  • [URL] References discussing the vulnerability – https://github.com/github/securitylab/tree/main/SecurityExploits/Chrome/v8/CVE_2023_3420 and https://blog.talosintelligence.com/vulnerability-in-tencent-wechat-custom-browser-could-lead-to-remote-code-execution/
  • [CVE] CVE-2023-3420

Read more: https://blog.talosintelligence.com/vulnerability-in-tencent-wechat-custom-browser-could-lead-to-remote-code-execution/