Title: Google Talk cleartext proxy credentials vulnerability Risk: Low/Medium Versions affected: <= 1.0.0.72 Credits: pagvac (Adrian Pastor) Date found: 12th Oct, 2005 Homepage: www.ikwt.com (In Knowledge We Trust) www.adrianpv.com E-mail: m123303 [ - a t - ] richmond.ac.uk [Background] Google Talk is a messenger client for Windows based on Jabber and can be downloaded from http://www.google.com/talk/ [Vulnerability Description] Google Talk seems to do a good job at storing the gmail login credentials in the Registry. These are the credentials needed to establish a connection to talk.google.com and are located under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[username]@gmail.com\pw In this case the password seems to be encrypted (or at least obsfucated). It should also be noted that Google Talk stores the user settings under the correct hive (HKEY_CURRENT_USER rather than HKEY_LOCAL_MACHINE). That way only the currently logged user will have access to his/her Google Talk settings. *However*, the developers behind Google Talk seem to have forgotten to use any mechanism of encryption/obsfucation when it comes to saving the credentials for the proxy connection. In this case, all user credentials (username and password) are stored as *cleartext* (human readable) in the Windows Registry. Such credentials are located under HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_user HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_pass [Feasibility of exploitation] In order to exploit this vulnerability 3 requirements must be met: 1. The victim connects through a proxy when using Google Talk 2. Such proxy requires login credentials (username/password) 3. The attacker has compromised the account of the victim user (see PoC exploit for an example) [Solution] Do not use Google Talk behind a proxy which requires authentication or wait until vendor releases a patched version. [PoC] Advisory along with fully working PoC exploit code available at www.ikwt.com Regards, pagvac (Adrian Pastor) Earth, SOLAR SYSTEM [EOF]
