💻 Research

Telegram Desktop 0-day (RCE)

Donghyeon Jeong·2024-04-19·30 min read

Summary

A zero-day vulnerability was recently announced and fixed in the Telegram Desktop (<= 4.16.5) application that could lead to a remote code execution (RCE) exploit without user clicks.

The vulnerability was caused by an attacker sharing a manipulated media (video) or file to another user and reading the sent chat.

Telegram Desktop has announced that the existence of this zero-click vulnerability is incorrect, adding that there are some prerequisites for fixing the issue in the current application.

However, when shared in chats in the form of a fake video with a thumbnail containing a Python script, the issue occurred simply by reading the content of the sent chat.

Telegram Desktop has released and implemented a fix to prevent Python scripts from running automatically, and this issue should no longer be reproducible.

You can continue reading about how this vulnerability came to be and the results of the proof-of-concept exploit below.

Root Cause

The vulnerability was caused by the inclusion of an incorrect extension (pywz) for Python when supporting extensions.

**[Figure 1] incorrect extension (pywz)**

The *.pyzw extension is intended to support Python ZIP application and has been used here as *.pywz. For a fix for using the wrong extension, see the following link.

https://github.com/telegramdesktop/tdesktop/commit/11b57ff7d3b61684daf03b350d90e5f8d68c24b1?diff=split&w=0

Proof of Concept

python


GIF89A = "aaaa"
import os
os.system('calc')