NTA Monitor

Latest News

Finance industry faces serious IT security issues

23rd June 2008 The finance industry needs to keep its eye on the small change as well as the bigger picture of its security vulnerabilities Read More

Retail sector faces serious IT security issues

23rd June 2008 The retail sector needs to set out its stall and ring the changes in its security vulnerabilities if it is to avoid the potential for hackers to gain unauthorised system access and disrupt service availability Read More

IT managers have more security headaches to deal with

11th May 2008 NTA Monitor's 2008 Annual Security Report has revealed that the average number of vulnerabilities found per test have increased to 21 compared with 19 in 2007 Read More

Solutions not excuses for patch management warns NTA Monitor

23rd April 2008 Patch management is a vital security requirement for any organsation Read More

Google Talk Beta Messenger Client Password Disclosure Issue Summary

NTA Monitor have discovered a password disclosure issue in the Google Talk Windows Messenger Client: Google Talk stores all user credentials (username and password) in clear-text in the process memory. Such vulnerability was found on August 25, 2005.

This issue occurs regardless of whether the "Save Password" feature is enabled or not.

Although Google Talk is quite new (it was released on 23/08/05, two days ago at time of writing) and is still in its beta state, it is suspected that this vulnerability could have remained present in stable versions if it hadn't been discovered now.

Overview

While performing vulnerability research in Google Talk Beta, Adrian Pastor, a security researcher and penetration tester from NTA Monitor discovered that the Google Talk client was loading all the credentials unencrypted in the memory of the process "googletalk.exe". It was possible to recover the password by dumping the process memory to a file with PMDump or by crashing the system to obtain a physical memory dump using a crash on demand utility such as Bang.

The vulnerability allows anyone with access to the client system to obtain the username and password. Additionally, this vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process "googletalk.exe".

It is also worth mentioning that sometimes, no direct user interaction is required for the execution of malicious code. Crackers often exploit vulnerabilities in web browsers and email clients that allows them to execute malicious code on the victim's machine without requiring the user to manually execute the trojaned executable. This means that given the right scenario, this vulnerability present in Google Talk could be exploited in such a way.

Details

After examining the memory dump of the process "googletalk.exe" with a hexadecimal editor, the username seems to appear 21 different times. Below is a screenshot of process memory dump showing the username in the clear. In this case the username is "unknown.pentester@gmail.com".

[Screenshot]

In some instances the username appears without the domain ("unknown.pentester") or with the at symbol ("@") ommited. Most of the instances however, show the username in its complete form ("unknown.pentester@gmail.com"). If carefully examined, the process dump shows 17 out of 21 instances with the username in its complete form ("unknown.pentester@gmail.com").

The password also appears in the clear. In this case, after examining the memory dump and doing a search for our password, it seems to appear 2 different times in the clear. Below is a screenshot of process memory dump showing the password in the clear. In this case the password is "mycleartextpass" .

[Screenshot]

The tested version in this case was Google Talk 1.0.0.64 which is believed to be the first version released by Google to the public. Below is a screenshot showing the About... window along with the version number.

[Screenshot]

Further information

Google Talk can be downloaded from http://www.google.com/talk/

This advisory was first released on 7th August 2005.