lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201401240109.s0O19UJ1023767@sf01web2.securityfocus.com>
Date: Fri, 24 Jan 2014 01:09:30 GMT
From: cjlacayo@...il.com
To: bugtraq@...urityfocus.com
Subject: [CVE-2014-1664] GoToMeeting Information Disclosure via Logging
 Output (Android)

1. ADVISORY INFORMATION
========================
Title: GoToMeeting Information Disclosure via Logging Output (Android)
CVE: CVE-2014-1664
CVE Information: ASSIGNED
Date published: PUBLIC
Date of last update: 01/23/2014
Vendor Contacted: Citrix
Release mode: Coordinated Release

2. VULNERABILITY INFORMATION
=============================
Class:  Information Disclosure
Impact: CVSS Details specified below
Remotely Exploitable: No
Locally Exploitable:  Yes
CVE Name: [CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android)

3. VULNERABILITY DESCRIPTION
============================
The latest release of the software is vulnerable to information disclosure via logging output, resulting in the leak of userID, meeting details, and authentication tokens. Android applications with permissions to read system log files may obtain the leaked information.

4. VULNERABLE PACKAGES
======================
- com.citrixonline.android.gotomeeting-1.apk version 5.0.799.1238 (Android)

5. NON-VULNERABLE PACKAGES
==========================
- other platforms untested

6. CREDITS
===========
This vulnerability was discovered and researched by Claudio J. Lacayo.

7. TECHNICAL DESCRIPTION / PROOF OF CONCEPT CODE
=================================================
<! ----- SNIPPET ------- !>

D/G2M     (32190): HttpRequest to: https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
E/qcom_sensors_hal(  787): hal_process_report_ind: Bad item quality: 11 
D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms
D/G2M     (32190): HttpRequest response from: GET https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] -> 200
D/G2M     (32190): HttpRequest response body: GET https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] -> {"Status":"Redirect","RedirectHost":"www1.gotomeeting.com","MeetingId":"[MEETING_ID_REDACTED]"}
D/G2M     (32190): Got 302 from legacy JSON API: www1.gotomeeting.com
D/G2M     (32190): HttpRequest to: https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]
D/G2M     (32190): HttpRequest response from: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 200
D/G2M     (32190): HttpRequest response body: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> {"Status":"MeetingNotStarted","MeetingId":"[MEETING_ID_REDACTED]","IsRecurring":false,"Endpoints":["Native"],"OrganizerName":"[REDACTED]","Subject":"[REDACTED]","MaxAttendees":100,"IsWebinar":false,"AudioParameters":{"CommParams":{"disableUdp":false},"ConferenceParams":{"supportedModes":"VoIP,PSTN,Private","initialMode":"Hybrid","SpeakerInfo":{"PhoneInfo":[{"description":"Default","number":"[REDACTED],"authToken":"AAFe4rYexu4Dm7qrL45/Egx+AAAAAFLdeSkAAAAAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa","accessCode":"REDACTED"},"userId":"userId","authToken":"EAEBAQEBAQEBAQEBAQEBAQE=","privateMessage":"","audioKey":-1,"BridgeMutingControl":true,"VCBParams":{"Codec":[{"payloadType":103,"frameLength":30,"name":"ISAC","bitrate":32000,"channels":1,"samplingRate":16000},{"payloadType":0,"frameLength":20,"name":"PCMU","bitrate":64000,"ch
 annels":1,"samplingRate":8000}],"VCB":{"port":5060,"ipAddr":"10.23.70.151"},"Options":{"asUpdates":true,"rtUpdates":true,"dtx":false}}}},"EndTime":1390239900000,"StartTime":1390237200000,"IsImpromptu":false}
D/G2M     (32190): Got response from legacy JSON API: 200
D/G2M     (32190): JoinService: Attempting to join Meeting
D/G2M     (32190): MeetingService: Starting Meeting join on legacy...
D/G2M     (32190): HttpRequest to: https://www.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
D/G2M     (32190): ServiceResolver: COLService: BaseURL [https://www1.gotomeeting.com], isLegacy [true}, isWebinar [false]
D/G2M     (32190): HttpRequest response from: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a -> 302
D/G2M     (32190): HttpRequest response body: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a -> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<! ----- SNIPPET ------- !>

8. CVSS 2.0 BASE METRICS
========================
Reference Base Vector Base Score
CVSS Base Score
5.4
Impact Subscore
7.8
Exploitability Subscore
3.4
CVSS Temporal Score
5.1
CVSS Environmental Score
6.6
Modified Impact Subscore
10
Overall CVSS Score
6.6
	
9. REPORT TIMELINE
==================
[1] 01/20/2014 - Vulnerability discovered, internal contact notified
[2] 01/21/2014 - Citrix security team notified via email
[3] 01/22/2014 - Citrix asked for testing environment details; provided.
[4] 01/23/2014 - CVE provided by CNA; public disclosure.

10. REFERENCES
=============
https://www.securecoding.cert.org/confluence/display/java/DRD04-J.+Do+not+log+sensitive+information
https://play.google.com/store/apps/details?id=com.nolanlawson.logcat&hl=en
https://drive.google.com/file/d/0B3eEtV83VTFUWEgxSTRac3JvZlk/edit?usp=sharing
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ