HomeVulnerabilityTelegram fixes Home windows app zero-day used to launch Python scripts

Telegram fixes Home windows app zero-day used to launch Python scripts

Telegram mounted a zero-day vulnerability in its Home windows desktop utility that might be used to bypass security warnings and robotically launch Python scripts.

Over the previous few days, rumors have been circulating on X and hacking boards about an alleged distant code execution vulnerability in Telegram for Home windows.

Whereas a few of these posts claimed it was a zero-click flaw, the movies demonstrating the alleged security warning bypass and RCE vulnerability clearly present somebody clicking on shared media to launch the Home windows calculator.

Telegram shortly disputed these claims, stating that they “cannot affirm that such a vulnerability exists” and that the video is probably going a hoax.

Tweet from Telegram

Nevertheless, the subsequent day, a proof of idea exploit was shared on the XSS hacking discussion board explaining {that a} typo within the supply code for Telegram for Home windows might be exploited to ship Python .pyzw information that bypass security warnings when clicked.

This triggered the file to robotically be executed by Python with out a warning from Telegram prefer it does for different executables, and was alleged to do for this file if it wasn’t for a typo.

To make issues worse, the proof of idea exploit disguised the Python file as a shared video, together with a thumbnail, that might be used to trick customers into clicking on the pretend video to observe it.

In a press release to BleepingComputer, Telegram rightfully disputes that the bug was a zero-click flaw however confirmed they mounted the “challenge” in Telegram for Home windows to stop Python scripts from robotically launching when clicked. This was a server-side repair, which we clarify within the subsequent part

See also  CISA and FBI Increase Alerts on Exploited Flaws and Increasing HiatusRAT Marketing campaign

“Rumors concerning the existence of zero-click vulnerabilities in Telegram Desktop are inaccurate. Some “specialists” really helpful to “disable automated downloads” on Telegram — there have been no points which may have been triggered by automated downloads.

Nevertheless, on Telegram Desktop, there was a problem that required the consumer to CLICK on a malicious file whereas having the Python interpreter put in on their pc. Opposite to earlier studies, this was not a zero-click vulnerability and it may have an effect on solely a tiny fraction of our consumer base: lower than 0.01% of our customers have Python put in and use the related model of Telegram for Desktop. 

A server-side repair has been utilized to make sure that even this challenge now not reproduces, so all variations of Telegram Desktop (together with all older ones) now not have this challenge.”

❖ Telegram

BleepingComputer requested Telegram how they know what software program is put in on consumer’s Home windows gadgets, as such a information will not be talked about of their Privateness Coverage.

The Telegram vulnerability

The Telegram Desktop consumer retains monitor of a record of file extensions related to dangerous information, akin to executable information. 

When somebody sends certainly one of these file sorts in Telegram, and a consumer clicks on the file, as an alternative of robotically launching within the related program in Home windows, Telegram first shows the next security warning.

See also  Microsoft Paid Out $63 Million Since Launch of First Bug Bounty Program 10 Years In the past

“This file has the extension .exe. It could hurt your pc. Are you certain you need to run it?,” reads the Telegram warning.

Security warning when opening risk executables
Safety warning when opening threat executables
Supply: BleepingComputer

Nevertheless, unknown file sorts shared in Telegram will robotically be launched in Home windows, letting the working system resolve what program to make use of.

When Python for Home windows is put in, it is going to affiliate the .pyzw file extension with the Python executable, inflicting Python to execute the scripts robotically when the file is double-clicked.

The .pyzw extension is for Python zipapps, that are self-contained Python packages contained inside ZIP archives.

The Telegram builders had been conscious that a lot of these executables needs to be thought-about dangerous and added it to the record of executable file extensions.

Sadly, after they added the extension, they made a typo, coming into the extension as ‘pywz‘ reasonably than the right spelling of ‘pyzw‘.

Fixing the spelling for the .pyzw Python extension
Fixing the spelling for the .pyzw Python extension
Supply: BleepingComputer.com

Due to this fact, when these information had been despatched over Telegram and clicked on, they had been robotically launched by Python if it was put in in Home windows.

This successfully permits attackers to bypass security warnings and remotely execute code on a goal’s Home windows gadget if they will trick them into opening the file.

To masquerade the file, researchers devised utilizing a Telegram bot to ship the file with a mime kind of ‘video/mp4,’ inflicting Telegram to show the file as a shared video.

See also  Google says a vital Chrome bug was exploited after a patch was launched

If a consumer clicks on the video to observe it, the script will robotically be launched via Python for Home windows.

BleepingComputer examined this exploit with cybersecurity researcher AabyssZG, who additionally shared demonstrations on X.

Utilizing an older model of Telegram, BleepingComputer obtained ‘video.pywz’ file from the researcher disguised as a mp4 video. This file merely comprises Python code to open a command immediate, as proven beneath.

video.pyzw proof-of-concept exploit
video.pyzw proof-of-concept exploit
Supply: BleepingComputer

Nevertheless, as you may see beneath, while you click on on the video to observe it, Python robotically executes the script, which opens the command immediate. Word that we redacted the video thumbnail because it’s barely NSFW.

Demonstration of Telegram bug to open a command prompt
Demonstration of Telegram bug to open a command immediate
Supply: BleepingComputer

The bug was reported to Telegram on April tenth, and so they mounted it by correcting the extension spelling within the ‘data_document_resolver.cpp’ supply code file.

Nevertheless, this repair doesn’t look like stay as of but, because the warnings don’t seem while you click on on the file to launch it.

As an alternative, Telegram utilized a server-side repair that appends the .untrusted extension to pyzq information, that when clicked, will trigger Home windows to ask what program you want to use to open it, reasonably than robotically launching in Python.

Telegram's server-side fix
Telegram’s server-side repair
Supply: BleepingComputer

Future variations of the Telegram Desktop app ought to embrace the security warning message reasonably than appending the “.untrusted” extension, including a bit extra security to the method.

- Advertisment -spot_img
RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular