Telegram mounted a zero-day vulnerability in its Home windows desktop utility that might be used to bypass security warnings and robotically launch Python scripts.
Over the previous few days, rumors have been circulating on X and hacking boards about an alleged distant code execution vulnerability in Telegram for Home windows.
Whereas a few of these posts claimed it was a zero-click flaw, the movies demonstrating the alleged security warning bypass and RCE vulnerability clearly present somebody clicking on shared media to launch the Home windows calculator.
Telegram shortly disputed these claims, stating that they “cannot affirm that such a vulnerability exists” and that the video is probably going a hoax.
Nevertheless, the subsequent day, a proof of idea exploit was shared on the XSS hacking discussion board explaining {that a} typo within the supply code for Telegram for Home windows might be exploited to ship Python .pyzw information that bypass security warnings when clicked.
This triggered the file to robotically be executed by Python with out a warning from Telegram prefer it does for different executables, and was alleged to do for this file if it wasn’t for a typo.
To make issues worse, the proof of idea exploit disguised the Python file as a shared video, together with a thumbnail, that might be used to trick customers into clicking on the pretend video to observe it.
In a press release to BleepingComputer, Telegram rightfully disputes that the bug was a zero-click flaw however confirmed they mounted the “challenge” in Telegram for Home windows to stop Python scripts from robotically launching when clicked. This was a server-side repair, which we clarify within the subsequent part
“Rumors concerning the existence of zero-click vulnerabilities in Telegram Desktop are inaccurate. Some “specialists” really helpful to “disable automated downloads” on Telegram — there have been no points which may have been triggered by automated downloads.
Nevertheless, on Telegram Desktop, there was a problem that required the consumer to CLICK on a malicious file whereas having the Python interpreter put in on their pc. Opposite to earlier studies, this was not a zero-click vulnerability and it may have an effect on solely a tiny fraction of our consumer base: lower than 0.01% of our customers have Python put in and use the related model of Telegram for Desktop.
A server-side repair has been utilized to make sure that even this challenge now not reproduces, so all variations of Telegram Desktop (together with all older ones) now not have this challenge.”
❖ Telegram
BleepingComputer requested Telegram how they know what software program is put in on consumer’s Home windows gadgets, as such a information will not be talked about of their Privateness Coverage.
The Telegram vulnerability
The Telegram Desktop consumer retains monitor of a record of file extensions related to dangerous information, akin to executable information.
When somebody sends certainly one of these file sorts in Telegram, and a consumer clicks on the file, as an alternative of robotically launching within the related program in Home windows, Telegram first shows the next security warning.
“This file has the extension .exe. It could hurt your pc. Are you certain you need to run it?,” reads the Telegram warning.
Supply: BleepingComputer
Nevertheless, unknown file sorts shared in Telegram will robotically be launched in Home windows, letting the working system resolve what program to make use of.
When Python for Home windows is put in, it is going to affiliate the .pyzw file extension with the Python executable, inflicting Python to execute the scripts robotically when the file is double-clicked.
The .pyzw extension is for Python zipapps, that are self-contained Python packages contained inside ZIP archives.
The Telegram builders had been conscious that a lot of these executables needs to be thought-about dangerous and added it to the record of executable file extensions.
Sadly, after they added the extension, they made a typo, coming into the extension as ‘pywz‘ reasonably than the right spelling of ‘pyzw‘.
Supply: BleepingComputer.com
Due to this fact, when these information had been despatched over Telegram and clicked on, they had been robotically launched by Python if it was put in in Home windows.
This successfully permits attackers to bypass security warnings and remotely execute code on a goal’s Home windows gadget if they will trick them into opening the file.
To masquerade the file, researchers devised utilizing a Telegram bot to ship the file with a mime kind of ‘video/mp4,’ inflicting Telegram to show the file as a shared video.
If a consumer clicks on the video to observe it, the script will robotically be launched via Python for Home windows.
BleepingComputer examined this exploit with cybersecurity researcher AabyssZG, who additionally shared demonstrations on X.
Utilizing an older model of Telegram, BleepingComputer obtained ‘video.pywz’ file from the researcher disguised as a mp4 video. This file merely comprises Python code to open a command immediate, as proven beneath.
Supply: BleepingComputer
Nevertheless, as you may see beneath, while you click on on the video to observe it, Python robotically executes the script, which opens the command immediate. Word that we redacted the video thumbnail because it’s barely NSFW.
Supply: BleepingComputer
The bug was reported to Telegram on April tenth, and so they mounted it by correcting the extension spelling within the ‘data_document_resolver.cpp’ supply code file.
Nevertheless, this repair doesn’t look like stay as of but, because the warnings don’t seem while you click on on the file to launch it.
As an alternative, Telegram utilized a server-side repair that appends the .untrusted extension to pyzq information, that when clicked, will trigger Home windows to ask what program you want to use to open it, reasonably than robotically launching in Python.
Supply: BleepingComputer
Future variations of the Telegram Desktop app ought to embrace the security warning message reasonably than appending the “.untrusted” extension, including a bit extra security to the method.
