Telegram rlottie 7.0.1_2065 is affected by a Type Confusion in the VDasher constructor: a remote attacker might be able to access Telegram’s heap memory out-of-bounds on a victim device. Note: we’ll walk through the android app sources, but the issue applies to iOS and macOS Telegram apps too.
“Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.”. For more information visit https://telegram.org/.
Telegram uses a custom fork of rlottie to render animated stickers. The code takes for granted that, if any, there are at least two dash properties (length and gap, defined in https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/vector/vdasher.h#L40) in the animated sticker. In case there’s just one dash property, the other one is read out-of-bounds. Specifically, the read access violation happens at
VDasher::updateActiveSegment in https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/vector/vdasher.cpp#L99:
mDashArray points at the dash property which only has the
length attribute coming from the sticker, while
gap is from out-of-bounds.
Gap is apparently a legitimate part of the object, but in reality it is “included” via the
reinterpret_cast in https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/vector/vdasher.cpp#L30:
which instructs the compiler to treat the
float* dashArray (which comes from the
std::vector<float> mStroke.mDash in https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/vector/vdrawable.cpp#L28 ) as a
VDasher::Dash* (https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/vector/vdasher.h#L40), even though it could have only a single float (like in our case) instead of two.
A blogpost will be published soon on our blog with a PoC walkthrough and further details.
A remote attacker might be able to access Telegram’s heap memory out-of-bounds on a victim device.
Upgrade to Telegram 7.1.0 (2090) or later.
`polict` of Shielder
This advisory was first published on https://www.shielder.it/advisories/telegram-rlottie-vdasher-vdasher-type-confusion/
16 February 2021