July 19, 2019 at 13:37How I broke Telegram
Once I hacked into one of the telegram servers. Not that it was something interesting, and the vulnerabilities themselves are standard. The fact that telegrams relate to security and why over the years no one has exploited vulnerabilities is rather surprising. But the one who does nothing is not mistaken!
Back in May 2017, kyprizel drew attention to the fact that telegram desktop can upload ZIP archives to its server tdesktop.com . As it turned out later, not only ZIP, but inside there is information about the crash of the application, so that the developer can study under what circumstances the crash occurred. In addition, the developer gets access to them through the web interface, judging by the authentication form. I added the host to the notes and safely forgot.
I remembered about him after about a year when upcoming studies were discussed in a chat. At that time, the root file was error_log, in which, as you might have guessed, errors were written. At a minimum, there were full file paths, but besides that, the favorite error is “You have an error in your SQL syntax”. But we are all lazy, and in bug bounty I generally try not to participate, so everything remains as it is.
Another year passed, I was invited to speak at the #PartyHack conference in Kazan. And when you don’t have the material to speak, you look at the notes. What do we have there? Suspicious host on Telegram.
Since the server used PHP, as evidenced by crash.php, I decided to go over the files with this extension a bit, then I came across info.php, where the contents of the phpinfo () function were. The first thing I noticed was using the Apache web server. How so? The whole telegram is nginx, and here is Apache! And who uses apache in 2019?
What first comes to mind when you hear Apache? I immediately remember about mod_status, which is built with it by default. This module generates a page with the current state of the server, about system resources, server requests, and the speed of their processing. Most often, the path to it is / server-status, rarely just / status. To understand how popular this administrative mistake is, just remember that it hung on the apache.org website for many years
For many years I have been collecting paths to potentially dangerous files and directories in the fuzz.txt project , so server-status was naturally there.
In general, it is noteworthy in server-status that it also shows the IP addresses of clients that send requests to the server. But in this case, all requests were from 127.0.0.1 to the virtual domain preston-desktop.com. Nginx at the front just proxied all requests to the local apache, so there was no disclosure of user information. However, it was worth putting server-status to monitor, here is a small scriptmade on the knee that puts unique rows in the sqlite database. For a short period of time, a lot of unique links were collected, but basically these were requests for updates (indicating the version), and there were almost no downloads. After a while I saw the admin.
Despite the fact that we have a limited line length, it can be seen from the logs that the administrator occasionally downloads the fall logs for further analysis, and the funny parameters __login and __token are passed there. And the POST requests in the screenshot are mine.
Looking at the source, you can notice two interesting methods.
The first is query_reportwhich has additional parameters apiid, version, dmp and platform. It returns whether more logs are needed about the crash of the application, or if the version is already fresh and errors are known. The mechanism was created so as not to get too much, but to correct only the actual.
The second is the report itself . Already without additional parameters. If a word has returned to the previous request that indicates the need to send a dump, the file is sent.
There you can see that the data is sent using multipart, where the file name is report.telegramcrash, and its Content-type application / octet-stream.
Thus, you could try to upload your own files and test the vulnerabilities associated with unpacking ZIP and other upload-pieces.
And I would further try to send a different load to find at least some kind of vulnerability, if not for one trick. If we substitute the well-known parameter names from another request, the valid values of which we took from server-status, into the report method, we can try to use a secret attack of all web hackers.
Using the power of the megazord (single quote) in the platform parameter, it was possible to observe the anomalous behavior of the resource.
There is a quotation mark - an error, no quotation mark - all is well. To verify the validity, you can write some logical expression, for example platform = mac 'AND' a '=' a. The answer is Done, as with a successful file upload.
Well, no wonder they came up with automation, so I am decoupling sqlmap, which has already become dusty from inaction. Anticipating questions - everything else was well configured, the user in the DBMS is not privileged.
Sent to security@telegram.org, a little later I received the coveted letter about the award of $ 30,000.
Just kidding, $ 2000 for sqli, and $ 500 for phpinfo and server-status, which is also good. And the wolves are safe and the sheep are full, or vice versa.
I didn’t hack users (your correspondence is safe), I couldn’t develop the attack further, a server with dumps of random users (namely crash dumps without information about the identifier in telegram, phone, messages and chats) is a dubious value. In theory, it would be possible to pump crashes and study and exploit them yourself. Having learned how telegrams are dropped, it was possible to drop them from the victim, and then study everything that can be squeezed out of the fall logs, if at all they could be downloaded through this injection.
Unique original .
Back in May 2017, kyprizel drew attention to the fact that telegram desktop can upload ZIP archives to its server tdesktop.com . As it turned out later, not only ZIP, but inside there is information about the crash of the application, so that the developer can study under what circumstances the crash occurred. In addition, the developer gets access to them through the web interface, judging by the authentication form. I added the host to the notes and safely forgot.
I remembered about him after about a year when upcoming studies were discussed in a chat. At that time, the root file was error_log, in which, as you might have guessed, errors were written. At a minimum, there were full file paths, but besides that, the favorite error is “You have an error in your SQL syntax”. But we are all lazy, and in bug bounty I generally try not to participate, so everything remains as it is.
Another year passed, I was invited to speak at the #PartyHack conference in Kazan. And when you don’t have the material to speak, you look at the notes. What do we have there? Suspicious host on Telegram.
Since the server used PHP, as evidenced by crash.php, I decided to go over the files with this extension a bit, then I came across info.php, where the contents of the phpinfo () function were. The first thing I noticed was using the Apache web server. How so? The whole telegram is nginx, and here is Apache! And who uses apache in 2019?
What first comes to mind when you hear Apache? I immediately remember about mod_status, which is built with it by default. This module generates a page with the current state of the server, about system resources, server requests, and the speed of their processing. Most often, the path to it is / server-status, rarely just / status. To understand how popular this administrative mistake is, just remember that it hung on the apache.org website for many years
For many years I have been collecting paths to potentially dangerous files and directories in the fuzz.txt project , so server-status was naturally there.
In general, it is noteworthy in server-status that it also shows the IP addresses of clients that send requests to the server. But in this case, all requests were from 127.0.0.1 to the virtual domain preston-desktop.com. Nginx at the front just proxied all requests to the local apache, so there was no disclosure of user information. However, it was worth putting server-status to monitor, here is a small scriptmade on the knee that puts unique rows in the sqlite database. For a short period of time, a lot of unique links were collected, but basically these were requests for updates (indicating the version), and there were almost no downloads. After a while I saw the admin.
Despite the fact that we have a limited line length, it can be seen from the logs that the administrator occasionally downloads the fall logs for further analysis, and the funny parameters __login and __token are passed there. And the POST requests in the screenshot are mine.
Looking at the source, you can notice two interesting methods.
The first is query_reportwhich has additional parameters apiid, version, dmp and platform. It returns whether more logs are needed about the crash of the application, or if the version is already fresh and errors are known. The mechanism was created so as not to get too much, but to correct only the actual.
The second is the report itself . Already without additional parameters. If a word has returned to the previous request that indicates the need to send a dump, the file is sent.
There you can see that the data is sent using multipart, where the file name is report.telegramcrash, and its Content-type application / octet-stream.
Thus, you could try to upload your own files and test the vulnerabilities associated with unpacking ZIP and other upload-pieces.
And I would further try to send a different load to find at least some kind of vulnerability, if not for one trick. If we substitute the well-known parameter names from another request, the valid values of which we took from server-status, into the report method, we can try to use a secret attack of all web hackers.
Using the power of the megazord (single quote) in the platform parameter, it was possible to observe the anomalous behavior of the resource.
There is a quotation mark - an error, no quotation mark - all is well. To verify the validity, you can write some logical expression, for example platform = mac 'AND' a '=' a. The answer is Done, as with a successful file upload.
Well, no wonder they came up with automation, so I am decoupling sqlmap, which has already become dusty from inaction. Anticipating questions - everything else was well configured, the user in the DBMS is not privileged.
Sent to security@telegram.org, a little later I received the coveted letter about the award of $ 30,000.
Just kidding, $ 2000 for sqli, and $ 500 for phpinfo and server-status, which is also good. And the wolves are safe and the sheep are full, or vice versa.
I didn’t hack users (your correspondence is safe), I couldn’t develop the attack further, a server with dumps of random users (namely crash dumps without information about the identifier in telegram, phone, messages and chats) is a dubious value. In theory, it would be possible to pump crashes and study and exploit them yourself. Having learned how telegrams are dropped, it was possible to drop them from the victim, and then study everything that can be squeezed out of the fall logs, if at all they could be downloaded through this injection.
Unique original .