FlatL1neAPT · October 28, 2018 11:04
diff --git a/CVE-2018-15543.txt b/CVE-2018-15543.txt
 > [Description]
 > ** DISPUTED ** An issue was discovered in the org.telegram.messenger
 > application 4.8.11 for Android. The FingerprintManager class for
 > Biometric validation allows authentication bypass through the callback
 > method from onAuthenticationFailed to onAuthenticationSucceeded with
 > null, because the fingerprint API in conjunction with the
 > Android keyGenerator class is not implemented. In other words, an
 > attacker could authenticate with an arbitrary fingerprint. NOTE: the
 > vendor indicates that this is not an attack of interest within the
 > context of their threat model, which excludes Android devices on which
 > rooting has occurred.
 >
 > ------------------------------------------
 >
 > [Additional Information]
 > Exploitation Narrative for bypass local authentication on Fingerprint
 >
 > 1. De-compiling process was used to determine application logic
 > through source code. Without code obfuscation implementation, we could
 > analyse the logic of Fingerprint authentication on "PasscodeView"
 > class.
 > 2. We notice that the fingerprint method is implemented through FingerprintManager class.
 > 3. Frida script was created to override the authentication method by setting the onAuthenticationSucceeded to "null".
 >
 > POC: https://www.dropbox.com/s/gtlkewl2r1w11zz/Telegram_Bypass_Fingerprint.mp4?dl=0
 >
 > Recommendation
 > * Using fingerprint API in conjunction with the Android keyGenerator class.
 >
 > ------------------------------------------
 >
 > [VulnerabilityType Other]
 > OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
 >
 > ------------------------------------------
 >
 > [Vendor of Product]
 > Telegram
 >
 > ------------------------------------------
 >
 > [Affected Product Code Base]
 > org.telegram.messenger (Android: Google Play Store) - 4.8.11
 >
 > ------------------------------------------
 >
 > [Affected Component]
 > Bio-metric(Fingerprint) authentication
 >
 > ------------------------------------------
 >
 > [Attack Type]
 > Context-dependent
 >
 > ------------------------------------------
 >
 > [Impact Information Disclosure]
 > true
 >
 > ------------------------------------------
 >
 > [CVE Impact Other]
 > Authentication Bypass
 >
 > ------------------------------------------
 >
 > [Attack Vectors]
 > An attacker who is able to access on rooted Android device, could
 > perform runtime manipulation on Bio-metric authentication which allow
 > attacker to force the successful authentication by invoking the
 > onAuthenticationSucceeded method with "Null" value. A malicious
 > application which may evade Google Play Store detection, could attack
 > the application on rooted device by hooking into Bio-metric mechanism
 > in order to bypass authentication process.
 >
 > ------------------------------------------
 >
 > [Has vendor confirmed or acknowledged the vulnerability?]
 > true
 >
 > ------------------------------------------
 >
 > [Discoverer]
 > Boonpoj Thongakaraniroj, Prathan Phongthiproek
 >
 > ------------------------------------------
 >
 > [Reference]
 > https://telegram.org
	> [Description]
	> DISPUTED An issue was discovered in the org.telegram.messenger
	> application 4.8.11 for Android. The FingerprintManager class for
	> Biometric validation allows authentication bypass through the callback
	> method from onAuthenticationFailed to onAuthenticationSucceeded with
	> null, because the fingerprint API in conjunction with the
	> Android keyGenerator class is not implemented. In other words, an
	> attacker could authenticate with an arbitrary fingerprint. NOTE: the
	> vendor indicates that this is not an attack of interest within the
	> context of their threat model, which excludes Android devices on which
	> rooting has occurred.
	>
	> ------------------------------------------
	>
	> [Additional Information]
	> Exploitation Narrative for bypass local authentication on Fingerprint
	>
	> 1. De-compiling process was used to determine application logic
	> through source code. Without code obfuscation implementation, we could
	> analyse the logic of Fingerprint authentication on "PasscodeView"
	> class.
	> 2. We notice that the fingerprint method is implemented through FingerprintManager class.
	> 3. Frida script was created to override the authentication method by setting the onAuthenticationSucceeded to "null".
	>
	> POC: https://www.dropbox.com/s/gtlkewl2r1w11zz/Telegram_Bypass_Fingerprint.mp4?dl=0
	>
	> Recommendation
	> * Using fingerprint API in conjunction with the Android keyGenerator class.
	>
	> ------------------------------------------
	>
	> [VulnerabilityType Other]
	> OWASP Mobile Top 10 2016:M1-Improper Platform Usage, CWE-287 - Improper Authentication
	>
	> ------------------------------------------
	>
	> [Vendor of Product]
	> Telegram
	>
	> ------------------------------------------
	>
	> [Affected Product Code Base]
	> org.telegram.messenger (Android: Google Play Store) - 4.8.11
	>
	> ------------------------------------------
	>
	> [Affected Component]
	> Bio-metric(Fingerprint) authentication
	>
	> ------------------------------------------
	>
	> [Attack Type]
	> Context-dependent
	>
	> ------------------------------------------
	>
	> [Impact Information Disclosure]
	> true
	>
	> ------------------------------------------
	>
	> [CVE Impact Other]
	> Authentication Bypass
	>
	> ------------------------------------------
	>
	> [Attack Vectors]
	> An attacker who is able to access on rooted Android device, could
	> perform runtime manipulation on Bio-metric authentication which allow
	> attacker to force the successful authentication by invoking the
	> onAuthenticationSucceeded method with "Null" value. A malicious
	> application which may evade Google Play Store detection, could attack
	> the application on rooted device by hooking into Bio-metric mechanism
	> in order to bypass authentication process.
	>
	> ------------------------------------------
	>
	> [Has vendor confirmed or acknowledged the vulnerability?]
	> true
	>
	> ------------------------------------------
	>
	> [Discoverer]
	> Boonpoj Thongakaraniroj, Prathan Phongthiproek
	>
	> ------------------------------------------
	>
	> [Reference]
	> https://telegram.org