Telegram rlottie 7.0.1_2065 is affected by a Stack Based Overflow in the gray_split_cubic function: a remote attacker might be able to overwrite Telegram’s stack memory out-of-bounds on a victim device. Note: we’ll walk through the android app sources, but the issue applies to iOS and macOS Telegram apps too.
“Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.”. For more information visit https://telegram.org/.
Telegram uses a custom fork of rlottie to render animated stickers. Through a Transform property it’s possible to overwrite adjacent stack memory. bez_stack
has an hardcoded size (https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/vector/freetype/v_ft_raster.cpp#L777 ):
|
|
Even thought bez_stack
has a static size, the index is not verified before accessing it in the loop starting at https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/vector/freetype/v_ft_raster.cpp#L805:
|
|
The first actual out-of-bounds write access happens in https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/vector/freetype/v_ft_raster.cpp#L747:
|
|
where base
is arc
from the previous code snippets.
By using specific values in the Transform property, it is possible to write stack memory outside of bez_stack
’s boundaries.
A blogpost will be published soon on our blog with a PoC walkthrough and further details.
A remote attacker might be able to overwrite Telegram’s stack memory out-of-bounds on a victim device.
Upgrade to Telegram 7.1.0 (2090) or later.
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/telegram-rlottie-gray_split_cubic-stack-buffer-overflow/
Date
16 February 2021