BugTraq
[CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android) Jan 24 2014 01:09AM
cjlacayo gmail com
1. ADVISORY INFORMATION
========================
Title: GoToMeeting Information Disclosure via Logging Output (Android)
CVE: CVE-2014-1664
CVE Information: ASSIGNED
Date published: PUBLIC
Date of last update: 01/23/2014
Vendor Contacted: Citrix
Release mode: Coordinated Release

2. VULNERABILITY INFORMATION
=============================
Class: Information Disclosure
Impact: CVSS Details specified below
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: [CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android)

3. VULNERABILITY DESCRIPTION
============================
The latest release of the software is vulnerable to information disclosure via logging output, resulting in the leak of userID, meeting details, and authentication tokens. Android applications with permissions to read system log files may obtain the leaked information.

4. VULNERABLE PACKAGES
======================
- com.citrixonline.android.gotomeeting-1.apk version 5.0.799.1238 (Android)

5. NON-VULNERABLE PACKAGES
==========================
- other platforms untested

6. CREDITS
===========
This vulnerability was discovered and researched by Claudio J. Lacayo.

7. TECHNICAL DESCRIPTION / PROOF OF CONCEPT CODE
=================================================
<! ----- SNIPPET ------- !>

D/G2M (32190): HttpRequest to: https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta
l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
E/qcom_sensors_hal( 787): hal_process_report_ind: Bad item quality: 11
D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms
D/G2M (32190): HttpRequest response from: GET https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta
l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] -> 200
D/G2M (32190): HttpRequest response body: GET https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta
l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] -> {"Status":"Redirect","RedirectHost":"www1.gotomeeting.com","MeetingId":"
[MEETING_ID_REDACTED]"}
D/G2M (32190): Got 302 from legacy JSON API: www1.gotomeeting.com
D/G2M (32190): HttpRequest to: https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?andro
id=true&MeetingID=[MEETING_ID_REDACTED]
D/G2M (32190): HttpRequest response from: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?andro
id=true&MeetingID=[MEETING_ID_REDACTED] -> 200
D/G2M (32190): HttpRequest response body: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?andro
id=true&MeetingID=[MEETING_ID_REDACTED] -> {"Status":"MeetingNotStarted","MeetingId":"[MEETING_ID_REDACTED]","IsRec
urring":false,"Endpoints":["Native"],"OrganizerName":"[REDACTED]","Subje
ct":"[REDACTED]","MaxAttendees":100,"IsWebinar":false,"AudioParameters":
{"CommParams":{"disableUdp":false},"ConferenceParams":{"supportedModes":
"VoIP,PSTN,Private","initialMode":"Hybrid","SpeakerInfo":{"PhoneInfo":[{
"description":"Default","number":"[REDACTED],"authToken":"AAFe4rYexu4Dm7
qrL45/Egx+AAAAAFLdeSkAAAAAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa","accessCode"
:"REDACTED"},"userId":"userId","authToken":"EAEBAQEBAQEBAQEBAQEBAQE=","p
rivateMessage":"","audioKey":-1,"BridgeMutingControl":true,"VCBParams":{
"Codec":[{"payloadType":103,"frameLength":30,"name":"ISAC","bitrate":320
00,"channels":1,"samplingRate":16000},{"payloadType":0,"frameLength":20,
"name":"PCMU","bitrate":64000,"ch
annels":1,"samplingRate":8000}],"VCB":{"port":5060,"ipAddr":"10.23.70.15
1"},"Options":{"asUpdates":true,"rtUpdates":true,"dtx":false}}}},"EndTim
e":1390239900000,"StartTime":1390237200000,"IsImpromptu":false}
D/G2M (32190): Got response from legacy JSON API: 200
D/G2M (32190): JoinService: Attempting to join Meeting
D/G2M (32190): MeetingService: Starting Meeting join on legacy...
D/G2M (32190): HttpRequest to: https://www.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?androi
d=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRU
VwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=goo
gle,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVer
sionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,Cp
uABI=armeabi-v7a
D/G2M (32190): ServiceResolver: COLService: BaseURL [https://www1.gotomeeting.com], isLegacy [true}, isWebinar [false]
D/G2M (32190): HttpRequest response from: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta
l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&Phone
Info=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,Buil
dType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVer
sionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=ham
merhead,Device=hammerhead,CpuABI=armeabi-v7a -> 302
D/G2M (32190): HttpRequest response body: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta
l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&Phone
Info=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,Buil
dType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVer
sionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=ham
merhead,Device=hammerhead,CpuABI=armeabi-v7a -> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<! ----- SNIPPET ------- !>

8. CVSS 2.0 BASE METRICS
========================
Reference Base Vector Base Score
CVSS Base Score
5.4
Impact Subscore
7.8
Exploitability Subscore
3.4
CVSS Temporal Score
5.1
CVSS Environmental Score
6.6
Modified Impact Subscore
10
Overall CVSS Score
6.6

9. REPORT TIMELINE
==================
[1] 01/20/2014 - Vulnerability discovered, internal contact notified
[2] 01/21/2014 - Citrix security team notified via email
[3] 01/22/2014 - Citrix asked for testing environment details; provided.
[4] 01/23/2014 - CVE provided by CNA; public disclosure.

10. REFERENCES
=============
https://www.securecoding.cert.org/confluence/display/java/DRD04-J.+Do+no
t+log+sensitive+information
https://play.google.com/store/apps/details?id=com.nolanlawson.logcat&hl=
en
https://drive.google.com/file/d/0B3eEtV83VTFUWEgxSTRac3JvZlk/edit?usp=sh
aring
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus