search

RaphielGang / Telegram-Paperplane

The Paperplane userbot project - a Telegram userbot helping to improve your Telegram experience. https://t.me/tgpaperplane
Other
289 stars 1.06k forks source link

[DV-SA] Remote Privilege Elevation in Evaluation Module #222

Closed raphielscape closed 4 years ago

raphielscape commented 4 years ago
Identifier for the advisory (mandatory). Will be assigned a "DV-SA-[NO][STATE]" identifier e.g. DV-SA-00-ST.

DV-SA-35CA

Name of the affected project (mandatory)

Paperplane

Disclosure date of the advisory as an RFC 3339 date (mandatory)

2020-04-03

Single-line description of a vulnerability (mandatory)

Flaw in Evaluation Module allows Remote Privilege Elevation

URL to a long-form description of this issue, e.g. a GitHub issue/PR, a changelog entry, or a blog post announcing the release (optional)

Pull Request 221

Optional: Categories this advisory falls under. Valid categories are: "code-execution", "crypto-failure", "denial-of-service", "file-disclosure" "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation"

privilege-escalation

Optional: a Common Vulnerability Scoring System score. More information can be found on the CVSS website, https://www.first.org/cvss/.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Vulnerability aliases, e.g. CVE IDs (optional but recommended)

[ Unassigned ]

References to related vulnerabilities (optional)

[ Unassigned ]

Enter a short-form description of the vulnerability here (mandatory)
Evaluation module allows inline bot to interacting with the userbot directly.
This allows an attacker to do priviliege elevation to user's account.

The flaw was corrected by Penn5.

Optional: metadata which narrows the scope of what this advisory affects

[ Unassigned ]

CPU architectures impacted by this vulnerability (optional). Only use this if the vulnerability is specific to a particular CPU architecture.

all-arch

Operating systems impacted by this vulnerability (optional)

all-os

Versions which include fixes for this vulnerability (mandatory)

master

compose

Versions which were never vulnerable (optional)

[ Unassigned ]

penn5 commented 4 years ago

The flaw is not in the evaluation module. The privilege escalation flaw is in the core events dispatcher, but the remote code execution is made possible by the evaluators.

RealAkito commented 4 years ago

As this issue have been solved, I am closing it.