tanprathan/CVE-2018-15542.txt

## CVE-2018-15542.txt
> [Description]
> ** DISPUTED ** An issue was discovered in the org.telegram.messenger
> application 4.8.11 for Android. The Passcode feature allows
> authentication bypass via runtime manipulation that forces a certain
> method's return value to true. In other words, an attacker could
> authenticate with an arbitrary passcode. NOTE: the vendor indicates
> that this is not an attack of interest within the context of their
> threat model, which excludes Android devices on which rooting has
> occurred.
>
> ------------------------------------------
>
> [Additional Information]
> Exploitation Narrative for bypass local authentication on Passcode
>
> 1. De-compiling process was used to determine application logic
> through source code. Without code obfuscation implementation, We could
> analyse the logic of Passcode authentication on the "PasscodeView"
> class and "ProcessDone" method and found that the return type is
> Boolean type.
>
> 2. Frida script was created to hook into "ProcessDone" method in order
> to force the return value to be "true".
>
> POC: https://www.dropbox.com/s/wye6hp37zphokkj/Telegram_Bypass_Passcode.mp4?dl=0
>
> Recommendation
> * Consider code obfuscation on binary
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> OWASP Mobile Top 10 2016:M4-Insecure Authentication, CWE-287 - Improper Authentication
>
> ------------------------------------------
>
> [Vendor of Product]
> Telegram
>
> ------------------------------------------
>
> [Affected Product Code Base]
> org.telegram.messenger (Android: Google Play Store) - 4.8.11
>
> ------------------------------------------
>
> [Affected Component]
> Passcode authentication
>
> ------------------------------------------
>
> [Attack Type]
> Context-dependent
>
> ------------------------------------------
>
> [Impact Information Disclosure]
> true
>
> ------------------------------------------
>
> [CVE Impact Other]
> Authentication Bypass
>
> ------------------------------------------
>
> [Attack Vectors]
> An attacker who is able to access on rooted Android device, could
> perform runtime manipulation on Passcode authentication which allow
> attacker to force the return value to be "true". A malicious
> application which may evade Google Play Store detection, could attack
> the application on rooted device by hooking into Passcode verification
> mechanism in order to bypass authentication process.
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Boonpoj Thongakaraniroj, Prathan Phongthiproek
>
> ------------------------------------------
>
> [Reference]
> https://telegram.org
	> [Description]
	> DISPUTED An issue was discovered in the org.telegram.messenger
	> application 4.8.11 for Android. The Passcode feature allows
	> authentication bypass via runtime manipulation that forces a certain
	> method's return value to true. In other words, an attacker could
	> authenticate with an arbitrary passcode. NOTE: the vendor indicates
	> that this is not an attack of interest within the context of their
	> threat model, which excludes Android devices on which rooting has
	> occurred.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> Exploitation Narrative for bypass local authentication on Passcode
	>
	> 1. De-compiling process was used to determine application logic
	> through source code. Without code obfuscation implementation, We could
	> analyse the logic of Passcode authentication on the "PasscodeView"
	> class and "ProcessDone" method and found that the return type is
	> Boolean type.
	>
	> 2. Frida script was created to hook into "ProcessDone" method in order
	> to force the return value to be "true".
	>
	> POC: https://www.dropbox.com/s/wye6hp37zphokkj/Telegram_Bypass_Passcode.mp4?dl=0
	>
	> Recommendation
	> * Consider code obfuscation on binary
	>
	> ------------------------------------------
	>
	> [VulnerabilityType Other]
	> OWASP Mobile Top 10 2016:M4-Insecure Authentication, CWE-287 - Improper Authentication
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> Telegram
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> org.telegram.messenger (Android: Google Play Store) - 4.8.11
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> Passcode authentication
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Context-dependent
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [CVE Impact Other]
	> Authentication Bypass
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> An attacker who is able to access on rooted Android device, could
	> perform runtime manipulation on Passcode authentication which allow
	> attacker to force the return value to be "true". A malicious
	> application which may evade Google Play Store detection, could attack
	> the application on rooted device by hooking into Passcode verification
	> mechanism in order to bypass authentication process.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?]
	> true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Boonpoj Thongakaraniroj, Prathan Phongthiproek
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://telegram.org