Google Talk cleartext proxy credentials vulnerability
Title: Google Talk cleartext proxy credentials vulnerability
Risk: Low/Medium
Versions affected: <= 1.0.0.72
Credits: pagvac (Adrian Pastor)
Date found: 12th Oct, 2005
Homepage: www.ikwt.com (In Knowledge We Trust)
www.adrianpv.com
E-mail: m123303 [ - a t - ] richmond.ac.uk
[Background]
Google Talk is a messenger client for Windows based on Jabber and can be
downloaded from http://www.google.com/talk/
[Vulnerability Description]
Google Talk seems to do a good job at storing the gmail login credentials in
the Registry. These are the
credentials needed to establish a connection to talk.google.com and are located
under
HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[username]@gmail.com\pw
In this case the password seems to be encrypted (or at least obsfucated). It
should also be noted that Google Talk
stores the user settings under the correct hive (HKEY_CURRENT_USER rather than
HKEY_LOCAL_MACHINE).
That way only the currently logged user will have access to his/her Google Talk
settings.
*However*, the developers behind Google Talk seem to have forgotten to use any
mechanism of encryption/obsfucation
when it comes to saving the credentials for the proxy connection. In this case,
all user credentials (username
and password) are stored as *cleartext* (human readable) in the Windows
Registry.
Such credentials are located under
HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_user
HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_pass
[Feasibility of exploitation]
In order to exploit this vulnerability 3 requirements must be met:
1. The victim connects through a proxy when using Google Talk
2. Such proxy requires login credentials (username/password)
3. The attacker has compromised the account of the victim user
(see PoC exploit for an example)
[Solution]
Do not use Google Talk behind a proxy which requires authentication
or wait until vendor releases a patched version.
[PoC]
Advisory along with fully working PoC exploit code available at www.ikwt.com
Regards,
pagvac (Adrian Pastor)
Earth, SOLAR SYSTEM
[EOF]