Telegram rlottie 7.0.1_2065 is affected by a Integer Overflow in the LOTGradient::populate function: a remote attacker might be able to access heap memory out-of-bounds on a victim device. Note: we’ll walk through the android app sources, but the issue applies to iOS and macOS Telegram apps too.
“Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.”. For more information visit https://telegram.org/.
Telegram uses a custom fork of rlottie to render animated stickers. The vulnerability is a signed integer overflow in LOTGradient::populate
(starting at https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/lottie/lottiemodel.cpp#L198 ): an out-of-bounds read access is performed because the checks in place for malicious inputs are bypassable.
The integer mColorPoints
comes directly from the animated sticker. Before using it to access the colorPoints in memory, the following check is performed at https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/lottie/lottiemodel.cpp#L204:
|
|
In particular colorPoints * 4
might overflow and wraparound to INT_MIN. Shortly later it is used to calculate the pointer to the actual colorPoints in memory at https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/lottie/lottiemodel.cpp#L211, which could point out-of-bounds:
|
|
A blogpost will be published soon on our blog with a PoC walkthrough and further details.
A remote attacker might be able to access Telegram’s heap memory out-of-bounds on a victim device.
Upgrade to Telegram 7.1.0 (2090) or later.
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/telegram-rlottie-lotgradient-populate-integer-overflow/
Date
16 February 2021