Typo Trouble: Exploring the Telegram Python RCE Vulnerability
Telegram’s Windows application was recently updated to address a critical zero-day flaw that permitted the execution of Python scripts without triggering security alerts, due to a typo in processing certain file extensions.
This vulnerability first surfaced on online forums later proof of concept shared on the XSS forum. The issue centered around Python “.pyzw” files which, due to a typo let attackers to evaded Telegram’s security protocols and ran immediately upon user interaction, provided Python was present on the device. Cyber adversaries could cloak these scripts as innocuous video files, duping users into running them.
As of now Telegram has deployed a server-side remedy by tagging “.pyzw” files with the “.untrusted” suffix, thereby requiring user deliberation to execute them. Telegram has also rectified the original coding error and will be pushed in upcoming updates.
Exploring the vulnerability
The Telegram Desktop app keeps a record of file extensions associated with hazardous elements, such as executables. If a user attempts to access one of these file types shared through Telegram, the related Windows application won’t start by itself. Rather, Telegram presents a security warning message. As shown below.
Conversely, if a file type that is not recognized is shared via Telegram, Windows will initiate its opening automatically, deferring to the operating system to determine the suitable program to use.
The recent commit history reveals that an error occurred during the initial phase of whitelisting file extensions. A misspelling was made where “pyzw” was incorrectly entered as “pywz”. This typo was the cause of the Remote Code Execution (RCE) vulnerability within the application.
Demonstration
First, we create a python zip application(.pyzw) to open a cmd.exe as shown below.
Then we upload the file to the victim, due to the typo the security measures implemented by telegram would be bypassed. So when victim clicks on the message(file) the command would be executed.
As a fix Telegram has deployed a service side fix where all .pyzw files are tagged with. untrusted extension. Which again gives a pop-up asking user to confirm if they want to run the application or not as shown below.
Telegram has said they are working a fix so that in future versions of the Telegram Desktop app would include the security warning message rather than appending the “.untrusted” extension, adding a bit more security to the process.