gtalk-inject.txt

`############################################  
Gtalk 1.0.0.105 html injection and Stealing messages  
Vendor url:http://www.google.com  
Advisore:http://lostmon.blogspot.com/2008/06/  
gtalk-100105-html-injection-and.html  
Vendor notify:yes exploit available:yes  
############################################  
  
  
GTalk is a service offered by Google instant messaging.  
It allows communication via traditional text or voice and is  
also integrated with Gmail. According to information released  
last year, Google Talk is used by more than 3 million users  
worldwide.  
  
  
  
GTalk contains a flaw that allows a remote  
cross site scripting or HTML injection attack.This flaw  
exists because the application does not validate 'http'  
and 'mailto' upon submission to conversation window.  
This could allow a user to create a specially crafted URL  
or mailto address that would execute arbitrary code  
in a user's gtalk within the trust relationship  
between the gtalk and the server,leading loss of integrity  
  
A remote user can Stealing messages on the target Gtalk user.  
  
  
################  
Versions afected  
################  
  
This Issue aparently no affects Gtalk labs edition  
( testing without results)  
  
This issue aparenly no affects Gtalk Web user  
( testing without results in web client from Mail.google.com)  
  
This issue aparently no afects Gtalk Gadget users  
(testing without results in web client from  
http://talkgadget.google.com/talkgadget/popout?hl=es)  
  
  
##################  
TIme line  
##################  
  
discovered: 05-06-2008  
Vendor notify: 07-06-2008  
Vendor reponse: 07-06-2008  
Vendor fix:  
Public Disclosure: 25-06-2007  
  
########################  
Solution  
########################  
  
No solution at this time , however all users with a  
vulnerable Gtalk client, can talk without problems  
with Google talk labs edition, or by Web client in  
Gmail account , or they can use the Google Gtalk Gadget.  
  
################################  
How to reproduce or how to test:  
################################  
  
#################  
HTML Injection  
#################  
  
For this test we need two accounts of Gmail (attacker  
and Victim), and Gtalk version 1.0.0.105  
In this text We only send a h1 html tag with a text and  
it is executed in the victims Gtalk.  
  
let´s Go !!!  
  
1- Open one account in explorer ( go to mail.google.com  
and make login with the attacker mail)  
  
2- Open the second account in Gtalk ( open Gtalk and make  
loging with victim´s mail)  
  
3- In the attacker accound open a chat with the victims  
  
4- Write this msg To victim http://"><h1>Lostmon</h1>  
  
Wen gtalk try to convert the text link in a clicable URL,the html  
tag 'h1' is executed in the victim´s machine; and now all what  
the attacker write , have the attribute 'h1' in the victim´s Machine.  
  
For solve this situation , the gtalk user need to write something  
to attacker.  
  
If Gtalk user try to send the same malformed link to a webuser,  
it is executed in his machine and it does not work in the webuser  
machine and he only have a clicable link and part of the url with  
the html, is not clicable . them the Gtalk users via web are not  
vulnerable.  
  
if the Gtalk user (victim) try to send it to the webuser (attacker)  
the html is executend in the Gtalk client and now all what victims  
write has the attibute 'h1' ..... for solve the attacker need to send any  
text to victim, and now the conversation window are free of 'h1' html tag.  
  
I make several probes with other tags ,like script or img , but at  
this moment i can´t bypass the filter or i can´t look ...moore Deep :P  
  
This issue comes in Gtalk wen try to conver text in a clicable url ,  
this flaw affects to mailto function too !!!  
  
We can do the same test but wen try to send the msg send this  
mailto:"><h1>Lostmon</h1>.  
  
Continue Testing with Gtalk labs edition as the attacker and  
gtalk 1.0.0.105 as the victim and the attacker can send to  
victims with the same result.  
  
We can try to insert other html tag like script , and aparently if we  
look the sorce code of the Gtalk window it is executed, but does no  
appear nothing ....send to victim :  
http://"><h1>Lostmon</h1> and  
look for the source code of the Gtalk window.  
  
  
If the attackers send to victims:  
http://"><h1>Lostmon</h1>  
  
Gtalk only convert this url in his html value  
http://"><h1>Lostmon</h1>  
but don´t execute ...  
  
Gtalk accept html encoding them !!!  
  
#######################################  
source in victims conversation window  
########################################  
  
<DIV class="msg 1st"><SPAN style="FONT-WEIGHT: bold">Lostmon</SPAN>:  
  
<A href='http://"></a href=""><h1>Lostmon</h1'>http://"></A>  
  
<H1>Lostmon</H1</a>></DIV>  
  
###########################  
Proof Of Messages Stealing  
###########################  
  
Try the attacker send with Gtalk labs edition and victim with gtalk 1.0.0.105  
  
If victim has enable notifications for example wen others users talking to he  
and he have minimice Gtalk,a attacker can send to he :  
  
http://"><script>alert()</script>  
  
or  
  
mailto:"><script>alert()</script>  
  
And continue talk with the victim , has only in his window http://">  
but it the attacker continue talking with he  
the victim only can view what say the attacker by notifications  
for a few seconds because wen look his window he only has http://">  
  
This can be used to talk Stealing of to other type of spoffing attacks.  
This situation is end wen the victim talk to attacker.  
  
  
If the victim´s send to attacker http://"><script>alert()</script> ,  
them the victim can´t look any text what he send.  
the victims need that,the attackers send a msg to victim for solve this  
situation , and now the victim can look again his mesages.  
  
  
#################  
Conclusion  
#################  
  
  
With the result of all of this test, we can think that only the html  
filter for Gtalk 1.0.0.105 does not work properly and this can be a potential  
Vulnerability because a attacker can execute html code in the victim´s machine  
and the attacker can stealing menssages in victim´s machine ....  
  
  
########################€nd##################  
  
  
Thnx to estrella to be my light.  
Thnx To FalconDeOro For his support.  
Thnx to Imydes From www.imydes.com For testing with me.  
Thnx To all Lostmon Group Team For his continue support  
Thnx to all Google security Team for his patience and fast Response  
  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`