search

telegramdesktop / tdesktop

Telegram Desktop messaging app
https://desktop.telegram.org/
Other
26.23k stars 5.2k forks source link

Telegram 4.11.5 x64 Desktop for Windows #27080

Closed aiooord closed 9 months ago

aiooord commented 11 months ago

Steps to reproduce

This vulnerability/bug exists in telegram v4.11.5 x64 desktop for Windows. The following steps lead to this bug:

First, we should create a group with topics enabled. After that, we should make a new topic and then put some corrupted PNG-based photos on the newly created topic in the group. The PNG photos must be large enough and have some corrupted format to trigger this bug effectively because when triggered, this vulnerability made some errors about libpng processing sRGB colors, which we can see in the following windbg debug session.

However, based on my analysis, I think this vulnerability is caused by libpng. For example, if a corrupt PNG is presented to be decoded (The photos I feed to Telegram), it ends up crashing. I put windbg crash analysis here:


libpng warning: iCCP: known incorrect sRGB profile
libpng warning: iCCP: known incorrect sRGB profile
(67ec.5528): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Telegram!rlottie::Surface::height+0xa249bf:
00007ff6`713c3b0f 488b01          mov     rax,qword ptr [rcx] ds:00000000`00000000=????????????????

As we can see here, libpng made some warnings about iCCP. The "libpng warning: iCCP: known incorrect sRGB profile" indicates an issue related to the International Color Consortium Profile (iCCP) in the PNG image handling library libpng. This warning relates to the PNG image's color profile and how the libpng library interprets it. So, this warning message might indicate that the crash is related to the handling or processing of PNG images within the application. However, based on call stacks, this vulnerability will be triggered when this rlottie calls the height() method in the Surface class. I put the call stack in the following section, which shows exactly the execution path that will trigger this vulnerability:


0:000> k
 # Child-SP          RetAddr               Call Site
00 000000cf`78cfb070 00007ff6`713c6691     Telegram!rlottie::Surface::height+0xa249bf
01 000000cf`78cfb0a0 00007ff6`713b8d2d     Telegram!rlottie::Surface::height+0xa27541
02 000000cf`78cfb270 00007ff6`707204c6     Telegram!rlottie::Surface::height+0xa19bdd
03 000000cf`78cfb310 00007ff6`71af4793     Telegram!configureModelCacheSize+0xa8e46
04 000000cf`78cfb6b0 00007ff6`73fe2ae6     Telegram!rlottie::Surface::bytesPerLine+0x370b63
05 000000cf`78cfb6f0 00007ff6`73ae7bb5     Telegram!ANGLEResetDisplayPlatform+0xa190e6
06 000000cf`78cfb900 00007ff6`73ae6c53     Telegram!ANGLEResetDisplayPlatform+0x51e1b5
07 000000cf`78cfb930 00007ff6`70ddb5cc     Telegram!ANGLEResetDisplayPlatform+0x51d253
08 000000cf`78cfbeb0 00007ff6`70ddb6b4     Telegram!rlottie::Surface::height+0x43c47c
09 000000cf`78cfbee0 00007ff6`73fee8cb     Telegram!rlottie::Surface::height+0x43c564
0a 000000cf`78cfbf30 00007ff6`73ff03c3     Telegram!ANGLEResetDisplayPlatform+0xa24ecb
0b 000000cf`78cfbfa0 00007ff6`7436ddae     Telegram!ANGLEResetDisplayPlatform+0xa269c3
0c 000000cf`78cfc070 00007ff6`74112451     Telegram!ANGLEResetDisplayPlatform+0xda43ae
0d 000000cf`78cfc0a0 00007ff6`7436dd88     Telegram!ANGLEResetDisplayPlatform+0xb48a51
0e 000000cf`78cff1d0 00007ff6`740441fd     Telegram!ANGLEResetDisplayPlatform+0xda4388
0f 000000cf`78cff200 00007ff6`73fedb24     Telegram!ANGLEResetDisplayPlatform+0xa7a7fd
10 000000cf`78cff260 00007ff6`70dd71f1     Telegram!ANGLEResetDisplayPlatform+0xa24124
11 000000cf`78cff2c0 00007ff6`70dc3209     Telegram!rlottie::Surface::height+0x4380a1
12 000000cf`78cff510 00007ff6`70dc0e97     Telegram!rlottie::Surface::height+0x4240b9
13 000000cf`78cff710 00007ff6`71d3ce0b     Telegram!rlottie::Surface::height+0x421d47
14 000000cf`78cff820 00007ff6`74373567     Telegram!rlottie::Surface::bytesPerLine+0x5b91db
15 000000cf`78cff860 00007ff6`742e4cf2     Telegram!ANGLEResetDisplayPlatform+0xda9b67
16 000000cf`78cff8f0 00007ff8`cd747344     Telegram!ANGLEResetDisplayPlatform+0xd1b2f2
17 000000cf`78cff930 00007ff8`cf1c26b1     KERNEL32!BaseThreadInitThunk+0x14
18 000000cf`78cff960 00000000`00000000     ntdll!RtlUserThreadStart+0x21

Also, I put the analysis of windbg on this crash here:


0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

KEY_VALUES_STRING: 1

    Key  : AV.Dereference
    Value: NullPtr

    Key  : AV.Fault
    Value: Read

    Key  : Analysis.CPU.mSec
    Value: 421

    Key  : Analysis.Elapsed.mSec
    Value: 1800

    Key  : Analysis.IO.Other.Mb
    Value: 145

    Key  : Analysis.IO.Read.Mb
    Value: 223

    Key  : Analysis.IO.Write.Mb
    Value: 1556

    Key  : Analysis.Init.CPU.mSec
    Value: 4952

    Key  : Analysis.Init.Elapsed.mSec
    Value: 2558925

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 308

    Key  : Failure.Bucket
    Value: NULL_POINTER_READ_c0000005_Telegram.exe!Unknown

    Key  : Failure.Hash
    Value: {cf0285fb-9487-c4db-449a-316245b6e27e}

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 356933

    Key  : Timeline.Process.Start.DeltaSec
    Value: 2905

    Key  : WER.OS.Branch
    Value: vb_release

    Key  : WER.OS.Version
    Value: 10.0.19041.1

    Key  : WER.Process.Version
    Value: 4.11.5.0

NTGLOBALFLAG:  0

PROCESS_BAM_CURRENT_THROTTLED: 0

PROCESS_BAM_PREVIOUS_THROTTLED: 0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 00007ff6713c3b0f (Telegram!rlottie::Surface::height+0x0000000000a249bf)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000

FAULTING_THREAD:  00005528

PROCESS_NAME:  Telegram.exe

READ_ADDRESS:  0000000000000000 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  0000000000000000

EXCEPTION_PARAMETER2:  0000000000000000

STACK_TEXT:  
000000cf`78cfb070 00007ff6`713c6691     : 00000220`a3d19a20 000000cf`78cfb2b0 000000cf`78cfb1a0 000000cf`78cfb1a0 : Telegram!rlottie::Surface::height+0xa249bf
000000cf`78cfb0a0 00007ff6`713b8d2d     : 000000cf`78cfb2c0 00000220`8d05fde0 000000cf`78cfb2b0 fc000000`00000025 : Telegram!rlottie::Surface::height+0xa27541
000000cf`78cfb270 00007ff6`707204c6     : 00000220`a3b8b1b0 00000000`44000848 00000220`8d05fde0 000000cf`78cfb410 : Telegram!rlottie::Surface::height+0xa19bdd
000000cf`78cfb310 00007ff6`71af4793     : 00000220`83025880 00007ff8`00000000 00000220`654cc700 00000000`00000000 : Telegram!configureModelCacheSize+0xa8e46
000000cf`78cfb6b0 00007ff6`73fe2ae6     : 00000220`a7be8550 00000220`83025810 000000cf`78cfb7f0 00000220`8ce59ff0 : Telegram!rlottie::Surface::bytesPerLine+0x370b63
000000cf`78cfb6f0 00007ff6`73ae7bb5     : 00000220`f8135b90 00000220`f8169ab0 00000220`8ce59ff0 00000220`83025810 : Telegram!ANGLEResetDisplayPlatform+0xa190e6
000000cf`78cfb900 00007ff6`73ae6c53     : 00000000`0000002b 000000cf`78cfba30 00000220`f8169ab0 000000cf`78cfbae0 : Telegram!ANGLEResetDisplayPlatform+0x51e1b5
000000cf`78cfb930 00007ff6`70ddb5cc     : 00000000`00000000 000000cf`78cff5d0 000000cf`78cfbfa8 00000000`0000002b : Telegram!ANGLEResetDisplayPlatform+0x51d253
000000cf`78cfbeb0 00007ff6`70ddb6b4     : 00000220`f8134b50 00000220`8ce59ff0 00000220`83025810 00007ff8`cf210e64 : Telegram!rlottie::Surface::height+0x43c47c
000000cf`78cfbee0 00007ff6`73fee8cb     : 00000220`8ce59ff0 00000220`f8134b50 00000220`8ce59ff0 00000220`83025810 : Telegram!rlottie::Surface::height+0x43c564
000000cf`78cfbf30 00007ff6`73ff03c3     : 00000000`000003d7 00000000`00000000 00000220`8ce59ff0 00007ff8`cec7a5c3 : Telegram!ANGLEResetDisplayPlatform+0xa24ecb
000000cf`78cfbfa0 00007ff6`7436ddae     : 00000220`8ce59ff0 00000000`00000000 00000220`f815bbb0 00000220`f818e670 : Telegram!ANGLEResetDisplayPlatform+0xa269c3
000000cf`78cfc070 00007ff6`74112451     : 00000220`f815bbb0 000000cf`00000004 00000000`00000000 00000000`00000000 : Telegram!ANGLEResetDisplayPlatform+0xda43ae
000000cf`78cfc0a0 00007ff6`7436dd88     : 00000000`00000001 00000000`00000000 00000220`00000000 00000000`00000000 : Telegram!ANGLEResetDisplayPlatform+0xb48a51
000000cf`78cff1d0 00007ff6`740441fd     : 00000000`00000024 00007ff6`00000014 00000000`00000030 00000000`00000002 : Telegram!ANGLEResetDisplayPlatform+0xda4388
000000cf`78cff200 00007ff6`73fedb24     : 00000220`f8106038 00000220`f8134b50 000000cf`78cff3c0 00000000`00000000 : Telegram!ANGLEResetDisplayPlatform+0xa7a7fd
000000cf`78cff260 00007ff6`70dd71f1     : 00000000`00000020 00000000`00000020 000000cf`78cff5d0 00000220`f813a7a0 : Telegram!ANGLEResetDisplayPlatform+0xa24124
000000cf`78cff2c0 00007ff6`70dc3209     : 00007ff6`78ae5149 00007ff6`78b438d8 000000cf`78cff540 00000000`00000000 : Telegram!rlottie::Surface::height+0x4380a1
000000cf`78cff510 00007ff6`70dc0e97     : 00000220`f8146b60 00000220`f815cb70 00000220`f8146b60 00000220`f813b340 : Telegram!rlottie::Surface::height+0x4240b9
000000cf`78cff710 00007ff6`71d3ce0b     : 00000220`f8146b98 00000220`f8146b60 00000000`00000001 00000220`f8146b80 : Telegram!rlottie::Surface::height+0x421d47
000000cf`78cff820 00007ff6`74373567     : 00000000`00000000 00000220`f8134bd0 00000220`f8146b60 00000000`00000000 : Telegram!rlottie::Surface::bytesPerLine+0x5b91db
000000cf`78cff860 00007ff6`742e4cf2     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Telegram!ANGLEResetDisplayPlatform+0xda9b67
000000cf`78cff8f0 00007ff8`cd747344     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : Telegram!ANGLEResetDisplayPlatform+0xd1b2f2
000000cf`78cff930 00007ff8`cf1c26b1     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
000000cf`78cff960 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21

STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  Telegram+a249bf

MODULE_NAME: Telegram

IMAGE_NAME:  Telegram.exe

FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_Telegram.exe!Unknown

OS_VERSION:  10.0.19041.1

BUILDLAB_STR:  vb_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

IMAGE_VERSION:  4.11.5.0

FAILURE_ID_HASH:  {cf0285fb-9487-c4db-449a-316245b6e27e}

Followup:     MachineOwner
---------

The exception appears to be an access violation (c0000005) involving a null pointer read in the Telegram.exe process. The exception occurred at memory address 0000000000000000, indicating an attempt to read from a null pointer. Further analysis of the call stack and the specific function Telegram!rlottie::Surface::height+0x0000000000a249bf may be necessary to understand the root cause of the exception and identify potential fixes or mitigations by developers.

Expected behaviour

The application should render photos and then publish them in the newly created topic in the group.

Actual behaviour

The whole application will crash with a crafted PNG. It's important to address and remediate null pointer dereference vulnerability to prevent potential exploitation and improve the overall security posture of the telegram.

Operating system

Windows 10 x64

Version of Telegram Desktop

v4.11.5 x64 Desktop for Windows

Installation source

Static binary from official website

Crash ID

No response

Logs

No response

Aokromes commented 11 months ago

plz enable beta, restart telegram and send crash id on next start and post id here.

aiooord commented 11 months ago

Crash ID: 6b51b7f2-5233-49fd-849e-e2dc1d390961

john-preston commented 9 months ago

This crash, that you reported, was reproduced in that version with any other message as well, it was fixed here:

https://github.com/telegramdesktop/tdesktop/commit/a7090c5fbaf2d47216ab99f9bb0a3331ea2d6daf

It has nothing to do with the png image.

github-actions[bot] commented 9 months ago

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.