Telegram rlottie 7.0.1_2065 LottieParserImpl::parseDashProperty Heap Buffer Overflow

Summary

Telegram rlottie 7.0.1_2065 is affected by a Heap Buffer Overflow in the LottieParserImpl::parseDashProperty function: a remote attacker might be able to access heap memory out-of-bounds on a victim device. Note: we’ll walk through the android app sources, but the issue applies to iOS and macOS Telegram apps too.

Product description (from vendor)

“Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.”. For more information visit https://telegram.org/.

CVE(s)

Details

Root cause analysis

Telegram uses a custom fork of rlottie to render animated stickers. The vulnerability is a heap-based buffer overflow which originates in LottieParserImpl::parseDashProperty (starting at https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/lottie/lottieparser.cpp#L1866 ): an out-of-bounds read access is performed because the actual number of dashes in the animated sticker is not verified before acessing heap memory.

The number of dashes in a GradientStroke shape is five (https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/lottie/lottiemodel.h#L687 ). In case there are more dashes, out-of-bounds memory is accessed in https://github.com/DrKLO/Telegram/blob/release-7.0.1_2065/TMessagesProj/jni/rlottie/src/lottie/lottieparser.cpp#L2381.

Proof of concept

A blogpost will be published soon on our blog with a PoC walkthrough and further details.

Impact

A remote attacker might be able to access Telegram’s heap memory out-of-bounds on a victim device.

Remediation

Upgrade to Telegram 7.1.0 (2090) or later.

Disclosure timeline

  • 30/09/2020:
    • Telegram releases version 7.1.0 (2090) with a patch

Credits

`polict` of Shielder

This advisory was first published on https://www.shielder.it/it/advisories/telegram-rlottie-lottieparserimpl-parsedashproperty-heap-buffer-overflow/

Data

16 February 2021