NTA Monitor

Latest News

New version of network scanning tool arp-scan released

15th March 2011 A new version of a respected and popular network scanning tool has been released. Read More

Tests show rise in number of vulnerabilities affecting web applications with SQL Injection and XSS most common flaws

1st March 2011 SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in 2010 according to results from tests carried out by NTA Monitor. Read More

Assess risk to manage effects of budget cuts

9th February 2011 Signs of economic recovery may be appearing in some industries, but for most organisations - particularly in the public sector - budget cuts and cost savings are here to stay for the foreseeable future. Read More

"Basic security threats not changed in 15 years"

1st February 2011 There may have been significant technological advances to the hardware and software organisations use, but according to Roy Hills, who co-founded NTA Monitor in 1996, the basic security threats have not changed in the last 15 years. Read More

Google Talk Beta Messenger Client Password Disclosure Issue Summary

NTA Monitor have discovered a password disclosure issue in the Google Talk Windows Messenger Client: Google Talk stores all user credentials (username and password) in clear-text in the process memory. Such vulnerability was found on August 25, 2005.

This issue occurs regardless of whether the "Save Password" feature is enabled or not.

Although Google Talk is quite new (it was released on 23/08/05, two days ago at time of writing) and is still in its beta state, it is suspected that this vulnerability could have remained present in stable versions if it hadn't been discovered now.

Overview

While performing vulnerability research in Google Talk Beta, Adrian Pastor, a security researcher and penetration tester from NTA Monitor discovered that the Google Talk client was loading all the credentials unencrypted in the memory of the process "googletalk.exe". It was possible to recover the password by dumping the process memory to a file with PMDump or by crashing the system to obtain a physical memory dump using a crash on demand utility such as Bang.

The vulnerability allows anyone with access to the client system to obtain the username and password. Additionally, this vulnerability could also be exploited by fooling the user to execute malicious code which would dump the memory of the process "googletalk.exe".

It is also worth mentioning that sometimes, no direct user interaction is required for the execution of malicious code. Crackers often exploit vulnerabilities in web browsers and email clients that allows them to execute malicious code on the victim's machine without requiring the user to manually execute the trojaned executable. This means that given the right scenario, this vulnerability present in Google Talk could be exploited in such a way.

Details

After examining the memory dump of the process "googletalk.exe" with a hexadecimal editor, the username seems to appear 21 different times. Below is a screenshot of process memory dump showing the username in the clear. In this case the username is "unknown.pentester@gmail.com".

[Screenshot]

In some instances the username appears without the domain ("unknown.pentester") or with the at symbol ("@") ommited. Most of the instances however, show the username in its complete form ("unknown.pentester@gmail.com"). If carefully examined, the process dump shows 17 out of 21 instances with the username in its complete form ("unknown.pentester@gmail.com").

The password also appears in the clear. In this case, after examining the memory dump and doing a search for our password, it seems to appear 2 different times in the clear. Below is a screenshot of process memory dump showing the password in the clear. In this case the password is "mycleartextpass" .

[Screenshot]

The tested version in this case was Google Talk 1.0.0.64 which is believed to be the first version released by Google to the public. Below is a screenshot showing the About... window along with the version number.

[Screenshot]

Further information

Google Talk can be downloaded from http://www.google.com/talk/

This advisory was first released on 7th August 2005.