There is a directory traversal issue in the Telegram client for Android. The method saveFile in MediaController.java saves a file to external memory based on an optional name that is not filtered. The name is provided by the remote peer when sending a document or music file.
To reproduce this issue, install the attached patched version of Telegram, and send the attached document to a peer. Then open the document on the peer, and save it by selecting "Save to downloads". Close and reopen Telegram, and it will crash on startup.
In the PoC, the bug is replacing the file tgnet.dat on the filesystem (the bug does not allow files to be overwritten, but this file is always restored from tgnet.dat.bak when read). There are a few info leak bugs in the parsing of this file (in particular, readInt64 in NativeByteBuffer.cpp checks that the buffer has four bytes left, but increments 8 bytes, and readBytes has an integer overflow in the length check), including for values that get sent to the server. In addition, replacing this file allows the IP addresses, ports and many other properties of the datacenter used by the application to be altered, opening up a greater attack surface.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available, the bug report will become
visible to the public.