Google Talk cleartext proxy credentials vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Google Talk cleartext proxy credentials vulnerability
From: m123303@xxxxxxxxxxxxxx
Date: 14 Oct 2005 11:06:55 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Title:                  Google Talk cleartext proxy credentials vulnerability
Risk:                   Low/Medium
Versions affected:      <= 1.0.0.72
Credits:                pagvac (Adrian Pastor)
Date found:             12th Oct, 2005
Homepage:               www.ikwt.com (In Knowledge We Trust)    
                        www.adrianpv.com
E-mail:                 m123303 [ - a t - ] richmond.ac.uk


[Background]

Google Talk is a messenger client for Windows based on Jabber and can be 
downloaded from http://www.google.com/talk/ 



[Vulnerability Description]

Google Talk seems to do a good job at storing the gmail login credentials in 
the Registry. These are the
credentials needed to establish a connection to talk.google.com and are located 
under

HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[username]@gmail.com\pw

In this case the password seems to be encrypted (or at least obsfucated). It 
should also be noted that Google Talk 
stores the user settings under the correct hive (HKEY_CURRENT_USER rather than 
HKEY_LOCAL_MACHINE).
That way only the currently logged user will have access to his/her Google Talk 
settings.

*However*, the developers behind Google Talk seem to have forgotten to use any 
mechanism of encryption/obsfucation
when it comes to saving the credentials for the proxy connection. In this case, 
all user credentials (username
and password) are stored as *cleartext* (human readable) in the Windows 
Registry.

Such credentials are located under

HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_user
HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_pass



[Feasibility of exploitation]

In order to exploit this vulnerability 3 requirements must be met:

1. The victim connects through a proxy when using Google Talk
2. Such proxy requires login credentials (username/password)
3. The attacker has compromised the account of the victim user
   (see PoC exploit for an example)



[Solution]

Do not use Google Talk behind a proxy which requires authentication
or wait until vendor releases a patched version.



[PoC]
Advisory along with fully working PoC exploit code available at www.ikwt.com



Regards,

pagvac (Adrian Pastor)
Earth, SOLAR SYSTEM

[EOF]

Follow-Ups:
- Re: Google Talk cleartext proxy credentials vulnerability
  - From: 3APA3A

Prev by Date: RTasarim WebAdmin modul SQL injection
Next by Date: Re: Antivirus detection bypass by special crafted archive.
Previous by thread: RTasarim WebAdmin modul SQL injection
Next by thread: Re: Google Talk cleartext proxy credentials vulnerability
Index(es):
- Date
- Thread