[转载]Google Talk明文代理验证漏洞以及检测方法
文章作者:pagvac (Adrian Pastor)Google Talk is a messenger client for Windows based on Jabber and can be downloaded from [url]http://www.google.com/talk/[/url]
[Vulnerability Description]
Google Talk seems to do a good job at storing the gmail login credentials in the Registry. These are the
credentials needed to establish a connection to talk.google.com and are located under
HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[username]@gmail.com\pw
In this case the password seems to be encrypted (or at least obsfucated). It should also be noted that Google Talk
stores the user settings under the correct hive (HKEY_CURRENT_USER rather than HKEY_LOCAL_MACHINE).
That way only the currently logged user will have access to his/her Google Talk settings.
*However*, the developers behind Google Talk seem to have forgotten to use any mechanism of encryption/obsfucation
when it comes to saving the credentials for the proxy connection. In this case, all user credentials (username
and password) are stored as *cleartext* (human readable) in the Windows Registry.
Such credentials are located under
HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_user
HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_pass
[Feasibility of exploitation]
In order to exploit this vulnerability 3 requirements must be met:
1. The victim connects through a proxy when using Google Talk
2. Such proxy requires login credentials (username/password)
3. The attacker has compromised the account of the victim user
(see PoC exploit for an example)
[Solution]
Do not use Google Talk behind a proxy which requires authentication
or wait until vendor releases a patched version.
[PoC]
Advisory along with fully working PoC exploit code available at [url]www.ikwt.com[/url]
Regards,
pagvac (Adrian Pastor)
Earth, SOLAR SYSTEM
页:
[1]