Telegram rlottie 6.1.1_1946 is affected by a Type Confusion in the LOTCompLayerItem::LOTCompLayerItem function: a remote attacker might be able to access heap memory out-of-bounds on a victim device. Note: we’ll walk through the android app sources, but the issue applies to iOS and macOS Telegram apps too.
“Telegram is a cloud-based mobile and desktop messaging app with a focus on security and speed.”. For more information visit https://telegram.org/.
Telegram uses a custom fork of rlottie to render animated stickers. The bug is a type confusion in LOTCompLayerItem::LOTCompLayerItem (starting at https://github.com/DrKLO/Telegram/blob/release-6.1.1_1946/TMessagesProj/jni/rlottie/src/lottie/lottieitem.cpp#L533 ): an object of an unverified type, e.g. <LOTRepeaterData *>, is subject to a static_cast to the type <LOTLayerData *>, resulting in an out-of-bounds memory access.
A static cast to <LOTLayerData *> is performed without any type check, e.g. against an <LOTRepeaterData *> which does not share the LOTGroupData “parent” and hence accessess out-of-bounds memory once it is used in https://github.com/DrKLO/Telegram/blob/release-6.1.1_1946/TMessagesProj/jni/rlottie/src/lottie/lottieitem.cpp#L813.
The classes hierarchy shows that while those objects are both children of LOTData, they do not share LOTGroupData:
LOTData
|--- LOTGroupdata
| |--- LOTShapeGroupData
| |--- LOTLayerData
|
|--- LOTRepeaterData
A blogpost will be published soon on our blog with a PoC walkthrough and further details.
A remote attacker might be able to access Telegram’s heap memory out-of-bounds on a victim device.
Upgrade to Telegram 6.2.0 (1984) or later.
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/telegram-rlottie-lotcomplayeritem-lotcomplayeritem-type-confusion/
Date
16 February 2021