New issue
Advanced search Search tips
Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Dec 2017
Cc:



Sign in to add a comment

Telegram Messenger for Android: Directory Traversal in Downloading Documents

Project Member Reported by natashenka@google.com, Dec 8 2017

Issue description

There is a directory traversal issue in the Telegram client for Android. The method saveFile in MediaController.java saves a file to external memory based on an optional name that is not filtered. The name is provided by the remote peer when sending a document or music file.

To reproduce this issue, install the attached patched version of Telegram, and send the attached document to a peer. Then open the document on the peer, and save it by selecting "Save to downloads". Close and reopen Telegram, and it will crash on startup.

In the PoC, the bug is replacing the file tgnet.dat on the filesystem (the bug does not allow files to be overwritten, but this file is always restored from tgnet.dat.bak when read). There are a few info leak bugs in the parsing of this file (in particular, readInt64 in NativeByteBuffer.cpp checks that the buffer has four bytes left, but increments 8 bytes, and readBytes has an integer overflow in the length check), including for values that get sent to the server. In addition, replacing this file allows the IP addresses, ports and many other properties of the datacenter used by the application to be altered, opening up a greater attack surface.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.

 
traverse.apk
14.2 MB Download
tgnet.dat.bak
2.0 KB Download
Project Member

Comment 1 by natashenka@google.com, Dec 15 2017

Labels: -Restrict-View-Commit
Status: Fixed (was: New)
Telegram pushed a fix for this the day it was reported, and I've verified the fix.

Sign in to add a comment