Skip to content

Commit

Permalink
Update data_document_resolver.cpp
Browse files Browse the repository at this point in the history 
The correct python zipapp extension on windows is pyzw, this typo could lead to executing code in the client device without proper warning
  • Loading branch information
@el-garro @john-preston
el-garro authored and john-preston committed Apr 11, 2024
1 parent fe06cd6 commit 11b57ff
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion Telegram/SourceFiles/data/data_document_resolver.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ lnk local lua mad maf mag mam manifest maq mar mas mat mau mav maw mcf mda \
mdb mde mdt mdw mdz mht mhtml mjs mmc mof msc msg msh msh1 msh2 msh1xml \
msh2xml mshxml msi msp mst ops osd paf pcd phar php php3 php4 php5 php7 phps \
php-s pht phtml pif pl plg pm pod prf prg ps1 ps2 ps1xml ps2xml psc1 psc2 \
psd1 psm1 pssc pst py py3 pyc pyd pyi pyo pyw pywz pyz rb reg rgs scf scr \
psd1 psm1 pssc pst py py3 pyc pyd pyi pyo pyw pyzw pyz rb reg rgs scf scr \
sct search-ms settingcontent-ms sh shb shs slk sys t tmp u3p url vb vbe vbp \
vbs vbscript vdx vsmacros vsd vsdm vsdx vss vssm vssx vst vstm vstx vsw vsx \
vtx website ws wsc wsf wsh xbap xll xnk xs"_q;
Expand Down

12 comments on commit 11b57ff

@ac3ss0r
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a certified RCE moment

@nezzzumi
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bruh

@jaha-coder
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

too late :)

@dement6d
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this typo indeed lead to remote code execution

@alfredonodo
Copy link

@alfredonodo alfredonodo commented on 11b57ff Apr 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a certified RCE moment

The video about the possible RCE has been removed as it turned out to be a hoax.
The vulnerability was present because of the misspelled file extension, but it was neither an RCE nor a 0-click as it required at least one click and having python installed. Finally, there is currently no CVE about it.

Source
"Rumors about the existence of zero-click vulnerabilities in Telegram Desktop are inaccurate. Some "experts" recommended to "disable automatic downloads" on Telegram — there were no issues which could have been triggered by automatic downloads.

However, on Telegram Desktop, there was an issue that required the user to CLICK on a malicious file while having the Python interpreter installed on their computer. Contrary to earlier reports, this was not a zero-click vulnerability and it could affect only a tiny fraction of our user base: less than 0.01% of our users have Python installed and use the relevant version of Telegram for Desktop.

A server-side fix has been applied to ensure that even this issue no longer reproduces, so all versions of Telegram Desktop (including all older ones) no longer have this issue."

@Vash404
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bad typo

@vstudiocode
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

skull emoji

@alfredonodo
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mystery deepens. Telesec website, currently down (backup archive.org) and registered on 14 April 2024, stated the presence of two vulnerabilities, one of which was critical on the telegram-desktop client from versions 4.16.0-4.16.3, but did not report the corresponding CVEs. For what reason? It seems to be yet another hoax.

@RodricBr
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

too bad, lol

@DeadMaX
Copy link

@DeadMaX DeadMaX commented on 11b57ff Apr 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might add the MSI file extension

@Khazbs
Copy link

@Khazbs Khazbs commented on 11b57ff Apr 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You might add the MSI file extension

MSI is already added to that list

@surebrec
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's what happened when you use a too fast mechanical keyboard

Please sign in to comment.