Title: Google Talk cleartext proxy credentials vulnerability
Risk: Low/Medium
Versions affected: <= 1.0.0.72
Credits: pagvac (Adrian Pastor)
Date found: 12th Oct, 2005
Homepage: www.ikwt.com (In Knowledge We Trust)
www.adrianpv.com
E-mail: m123303 [ - a t - ] richmond.ac.uk
[Background]
Google Talk is a messenger client for Windows based on Jabber and can be downloaded from http://www.google.com/talk/
[Vulnerability Description]
Google Talk seems to do a good job at storing the gmail login credentials in the Registry. These are the
credentials needed to establish a connection to talk.google.com and are located under
In this case the password seems to be encrypted (or at least obsfucated). It should also be noted that Google Talk
stores the user settings under the correct hive (HKEY_CURRENT_USER rather than HKEY_LOCAL_MACHINE).
That way only the currently logged user will have access to his/her Google Talk settings.
*However*, the developers behind Google Talk seem to have forgotten to use any mechanism of encryption/obsfucation
when it comes to saving the credentials for the proxy connection. In this case, all user credentials (username
and password) are stored as *cleartext* (human readable) in the Windows Registry.
In order to exploit this vulnerability 3 requirements must be met:
1. The victim connects through a proxy when using Google Talk
2. Such proxy requires login credentials (username/password)
3. The attacker has compromised the account of the victim user
(see PoC exploit for an example)
[Solution]
Do not use Google Talk behind a proxy which requires authentication
or wait until vendor releases a patched version.
[PoC]
Advisory along with fully working PoC exploit code available at www.ikwt.com
Risk: Low/Medium
Versions affected: <= 1.0.0.72
Credits: pagvac (Adrian Pastor)
Date found: 12th Oct, 2005
Homepage: www.ikwt.com (In Knowledge We Trust)
www.adrianpv.com
E-mail: m123303 [ - a t - ] richmond.ac.uk
[Background]
Google Talk is a messenger client for Windows based on Jabber and can be downloaded from http://www.google.com/talk/
[Vulnerability Description]
Google Talk seems to do a good job at storing the gmail login credentials in the Registry. These are the
credentials needed to establish a connection to talk.google.com and are located under
HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[username]@gmail.com\pw
In this case the password seems to be encrypted (or at least obsfucated). It should also be noted that Google Talk
stores the user settings under the correct hive (HKEY_CURRENT_USER rather than HKEY_LOCAL_MACHINE).
That way only the currently logged user will have access to his/her Google Talk settings.
*However*, the developers behind Google Talk seem to have forgotten to use any mechanism of encryption/obsfucation
when it comes to saving the credentials for the proxy connection. In this case, all user credentials (username
and password) are stored as *cleartext* (human readable) in the Windows Registry.
Such credentials are located under
HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_user
HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_pass
[Feasibility of exploitation]
In order to exploit this vulnerability 3 requirements must be met:
1. The victim connects through a proxy when using Google Talk
2. Such proxy requires login credentials (username/password)
3. The attacker has compromised the account of the victim user
(see PoC exploit for an example)
[Solution]
Do not use Google Talk behind a proxy which requires authentication
or wait until vendor releases a patched version.
[PoC]
Advisory along with fully working PoC exploit code available at www.ikwt.com
Regards,
pagvac (Adrian Pastor)
Earth, SOLAR SYSTEM
[EOF]
[ reply ]