The RCE vulnerability (Remote Code Execution) are security flaws that allow an attacker to execute arbitrary code on a remote system without authentication or authorization. These issues are extremely dangerous as they allow attackers to take complete control of the vulnerable system and perform any operations, such as installing malware, stealing sensitive data, manipulating the system, or corrupting data.
In recent days, the discovery of an alleged RCE flaw within RCE has caused a stir Telegram Desktop, the version of the popular instant messaging client that can be used on Windows systems. Researchers complained to Telegram that the application could be exploited to execute arbitrary code using an installation of Python possibly present on the same Windows machine.
As you can see in this short video, by clicking on one thumbnail of an attachment received on Telegram Desktop, the application in this case runs the Windows calculator.
Telegram: it is not an RCE flaw but the problem is now fixed
The first reaction from Telegram developers was scathing: the company claimed that the alleged security problem was absolutely not attributable to an RCE flaw. Let’s see in more detail the thesis of the technicians of the company founded by Pavel Durov, specifying however that in the meantime Telegram Desktop has already received a correction.
The crux of the problem lies in the fact that Telegram maintains a list of extensions potentially dangerous. When the user tries to open a type of file whose corresponding extension is in the list, Telegram Desktop shows a warning, indicating the possible danger of the file.
Researchers found that Telegram made a typo in the case of the files .pyzwcompressed archives that contain an independent Python scriptready to be executed.
In fact, the extension is found in the list drawn up by Telegram .pywz rather than .pyzw. This simple oversight resulted in Telegram Desktop having the Python file uploaded to the user’s system, without showing warnings safety.
How did Telegram solve the problem and what is the real impact
Telegram first wanted to point out that the incident in question could impact, in the worst case, a maximum of 0.01% of users, i.e. those who have installed Python on a Windows system, together with a vulnerable version of the desktop client.
Given that it would be curious to understand how Telegram establishes with certainty the software configuration of the users’ client machines (therefore having accurate statistics indicating who has or has not installed Python…), the problem actually appears to be rather small compared to how it was initially presented.
To correct anomalous behavior related to file management .pyzwTelegram has not only added the extension to the list of those to block but has implemented a server-side mechanism that adds the extension .untrusted to these elements.
This latest fix ensures that the user is always asked which application to open the file with rather than leaving its management to the underlying operating system.