-
-
Save FlatL1neAPT/628343e660efe52ccc3296fc9771b65c to your computer and use it in GitHub Desktop.
Telegram CVE-2018-15543 Information
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > [Description] | |
| > ** DISPUTED ** An issue was discovered in the org.telegram.messenger | |
| > application 4.8.11 for Android. The FingerprintManager class for | |
| > Biometric validation allows authentication bypass through the callback | |
| > method from onAuthenticationFailed to onAuthenticationSucceeded with | |
| > null, because the fingerprint API in conjunction with the | |
| > Android keyGenerator class is not implemented. In other words, an | |
| > attacker could authenticate with an arbitrary fingerprint. NOTE: the | |
| > vendor indicates that this is not an attack of interest within the | |
| > context of their threat model, which excludes Android devices on which | |
| > rooting has occurred. | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Additional Information] | |
| > Exploitation Narrative for bypass local authentication on Fingerprint | |
| > | |
| > 1. De-compiling process was used to determine application logic | |
| > through source code. Without code obfuscation implementation, we could | |
| > analyse the logic of Fingerprint authentication on "PasscodeView" | |
| > class. | |
| > 2. We notice that the fingerprint method is implemented through FingerprintManager class. | |
| > 3. Frida script was created to override the authentication method by setting the onAuthenticationSucceeded to "null". | |
| > | |
| > POC: https://www.dropbox.com/s/gtlkewl2r1w11zz/Telegram_Bypass_Fingerprint.mp4?dl=0 | |
| > | |
| > Recommendation | |
| > * Using fingerprint API in conjunction with the Android keyGenerator class. | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [VulnerabilityType Other] | |
| > OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Vendor of Product] | |
| > Telegram | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Affected Product Code Base] | |
| > org.telegram.messenger (Android: Google Play Store) - 4.8.11 | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Affected Component] | |
| > Bio-metric(Fingerprint) authentication | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Attack Type] | |
| > Context-dependent | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Impact Information Disclosure] | |
| > true | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [CVE Impact Other] | |
| > Authentication Bypass | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Attack Vectors] | |
| > An attacker who is able to access on rooted Android device, could | |
| > perform runtime manipulation on Bio-metric authentication which allow | |
| > attacker to force the successful authentication by invoking the | |
| > onAuthenticationSucceeded method with "Null" value. A malicious | |
| > application which may evade Google Play Store detection, could attack | |
| > the application on rooted device by hooking into Bio-metric mechanism | |
| > in order to bypass authentication process. | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Has vendor confirmed or acknowledged the vulnerability?] | |
| > true | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Discoverer] | |
| > Boonpoj Thongakaraniroj, Prathan Phongthiproek | |
| > | |
| > ------------------------------------------ | |
| > | |
| > [Reference] | |
| > https://telegram.org |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment