Syhunt: Google Talk DXImageTransform HTML Injection Vulnerability

Syhunt: Google Talk (gTalk) HTML Injection Technique
Advisory-ID: 200703042
Discovery Date: 4.3.2007
Release Date: 4.24.2007
Affected Applications: gTalk 1.0.0.104 and possibly earlier versions
Class: HTML Injection
Status: Unpatched/Vendor informed
Vendor: Google Inc.
'Vendor URL: http://www.google.com/

Bugtraq has assigned the 23645 ID to this issue [1]


Overview: Google Talk is a service offered by Google for instant messaging. It allows communication via traditional text or voice and is also integrated with Gmail. According to information released last year, Google Talk is used by more than 3 million users worldwide.

Description: gTalk chat screen, which uses an Internet Explorer control to display messages, pictures and requests to the user, is vulnerable to HTML injection. The flaw resides in the file transfer notification. A user does not need to accept the incoming file transfer, code is automatically displayed in the chat screen.

If combined with additional techniques (discussed in the additional considerations section), this flaw may be used to execute arbitrary HTML code and script code in the user's chat screen.


Details:

  1. Create a file with the following name: test.txt');
  2. Send it to another user in the gTalk chat screen.
  3. Open the source code of the receiver's chat screen. This can

be easily achieved using the IESpy tool [2]

An inspection of the HTML code related to the file transfer notification shows that the src attribute of DXImageTransform (used to display an icon related to the file type being transferred) is affected by this special filename extension. It is possible to include additional style attributes to the img element just by appending characters to end of the filename extension, after ".txt');".

Additional Considerations:

  • File system limitations for filenames limits the

exploitability when launching an attack from certain OSs (specially on Windows).

  • Packet forging, memory patching, and filter bypass techniques,

which are not covered in this document, and techniques involving alternative Google Talk clients, may increase the impact and also overcome the filename limitations when lauching an attack.


Vulnerability Status: Google was notified, but it remains unpatched.


Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes.

Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory.


Credit:
Alec Storm, Syhunt Security Research Team, www.syhunt.com