lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20051014110655.3795.qmail@securityfocus.com>
Date: 14 Oct 2005 11:06:55 -0000
From: m123303@...hmond.ac.uk
To: bugtraq@...urityfocus.com
Subject: Google Talk cleartext proxy credentials vulnerability


Title: 			Google Talk cleartext proxy credentials vulnerability
Risk: 			Low/Medium
Versions affected:	<= 1.0.0.72
Credits:		pagvac (Adrian Pastor)
Date found:		12th Oct, 2005
Homepage:		www.ikwt.com (In Knowledge We Trust)	
			www.adrianpv.com
E-mail:			m123303 [ - a t - ] richmond.ac.uk


[Background]

Google Talk is a messenger client for Windows based on Jabber and can be downloaded from http://www.google.com/talk/ 



[Vulnerability Description]

Google Talk seems to do a good job at storing the gmail login credentials in the Registry. These are the
credentials needed to establish a connection to talk.google.com and are located under

HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[username]@gmail.com\pw

In this case the password seems to be encrypted (or at least obsfucated). It should also be noted that Google Talk 
stores the user settings under the correct hive (HKEY_CURRENT_USER rather than HKEY_LOCAL_MACHINE).
That way only the currently logged user will have access to his/her Google Talk settings.

*However*, the developers behind Google Talk seem to have forgotten to use any mechanism of encryption/obsfucation
when it comes to saving the credentials for the proxy connection. In this case, all user credentials (username
and password) are stored as *cleartext* (human readable) in the Windows Registry.

Such credentials are located under

HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_user
HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_pass



[Feasibility of exploitation]

In order to exploit this vulnerability 3 requirements must be met:

1. The victim connects through a proxy when using Google Talk
2. Such proxy requires login credentials (username/password)
3. The attacker has compromised the account of the victim user
   (see PoC exploit for an example)



[Solution]

Do not use Google Talk behind a proxy which requires authentication
or wait until vendor releases a patched version.



[PoC]
Advisory along with fully working PoC exploit code available at www.ikwt.com



Regards,

pagvac (Adrian Pastor)
Earth, SOLAR SYSTEM

[EOF]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ