Syhunt: Google Talk (gTalk) HTML Injection Technique

[Alec Storm <alec () syhunt com>]

Syhunt: Google Talk (gTalk) HTML Injection Technique

Advisory-ID: 200703041
Discovery Date: 4.3.2007
Release Date:  4.24.2007
Affected Applications: gTalk 1.0.0.104 and possibly earlier
versions
Class: HTML Injection
Status: Unpatched/Vendor informed
Vendor: Google Inc.
Vendor URL: http://www.google.com/

----------------------------------------------------------------

Overview:
Google Talk is a service offered by Google instant messaging.
It allows communication via traditional text or voice and is
also integrated with Gmail. According to information released
last year, Google Talk is used by more than 3 million users
worldwide.

Description:
gTalk chat screen, which uses an Internet Explorer control to
display messages, pictures and requests to the user, is
vulnerable to HTML injection. The flaw resides in the file
transfer notification. A user does not need to accept the
incoming file transfer, code is automatically displayed in the
chat screen.

If combined with additional techniques (discussed in the
additional considerations section), this flaw may be used to
execute arbitrary HTML code and script code in the user's chat
screen.

----------------------------------------------------------------

Details:

1. Create a file with the following name: test.txt');
2. Send it to another user in the gTalk chat screen.
3. Open the source code of the receiver's chat screen. This can
be easily achieved using the IESpy tool
(http://www.disoriented.com/IESpy/)

An inspection of the HTML code related to the file transfer
notification shows that the src attribute of DXImageTransform
(used to display an icon related to the file type being
transferred) is affected by this special filename extension
itself. It is possible to include additional style attributes to
the img element just by appending characters to end of the
filename extension.

Additional Considerations:

* File system limitations for filenames limits the
exploitability when launching an attack from certain OSs
(specially on Windows).

* Packet forging, memory patching, and filter bypass techniques,
which are not covered in this document, and techniques involving
alternative Google Talk clients, may increase the impact of the
security attack and also overcome the filename limitations.

----------------------------------------------------------------

Vulnerability Status:
Google was notified, but it remains unpatched.

----------------------------------------------------------------

Disclaimer:
The information in this advisory is provided "as is" without
warranty of any kind. Details provided are strictly for
educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or
indirect use of the information provided by this advisory.

---
Credit:
Alec Storm, Syhunt Security Research Team, www.syhunt.com