Gaim abritary Email Reading

From: Scott Mackenzie (smackenz@sdf.lonestar.org)
Date: 05/12/02 

From: Scott Mackenzie <smackenz@sdf.lonestar.org>
To: vuln-dev@securityfocus.com
Date: 12 May 2002 04:59:38 +0100

Date: Sun May 12
Problem App: Gaim Messenger Client
Problem: Permissions Problem
Severity: Low/Medium
Results: A local attacker can gain full access to other gaim users
hotmail accounts
Evidence: See the end of this email for a shell example of this issue
Exploitable: Simple if gaim is running, hard if not.

** Gaim Notified & fix available**

Yes, and its fixed in the nightly CVS, and will be fixed in version
0.58. It is best to fix this problem until 0.58 comes out on high user
systems running gaim - get the latest cvs.

Grab the *FIX* here:
http://gaim.sourceforge.net/downloads.php

After speaking to a developer in the gaim IRC room, it's obvious this
bug is known to them, but we agreed everyone else using gaim should be
notified with this email. I'd like to take this opportunity to thank
the developer for his quick response - good old IRC. :-) cheers!

:Problem:

I'm using 'gaim' (gaim.sourceforge.net) as a chat client for AOL Instant
Messenger and MSN Messenger. I'm running Redhat 7.3, and gaim version
0.57 (the latest).

I have included in the gaim setup of the MSN protocol to check for
hotmail email when gaim starts (this is done by MSN for windows also).
To enable this, run gaim, go into accounts, and open your MSN account
listed there and click the option. To make an MSN account, ensure you
have gaim to load the MSN plugin when it starts up.

Gaim uses /tmp as a dumping ground for many temp files. Here's what the
problem is:

1) Gaim starts up and checks your hotmail email (if this option is
enabled in your gaim setup)

2) It will create two files in /tmp. These files are named:

file<someRandomletters> - e.g: fileFH9e0w or file984345

If you have loads of files in /tmp, its because you run gaim loads of
times! Delete them and re-run gaim to get the current two..

3) These files have permission:

 4 -rw-rw-r-- 1 smackenz smackenz 978 May 12 03:01
/tmp/file984345

(smackenz is the gaim user).

** As you can see they are readable by anyone **

If I then close gaim (or leave it open), and go into /tmp as a different
user (or even from a different computer..), and use a web browser (for
example) konqueror to open one of the two files, it takes you straight
to the gaim user's hotmail inbox, where you'll have full access. Of the
two files, it seems that each one does this, but if the first doesn't
work, try the second.

*IMPORTANT* This only works whilst the other user is running gaim, or
only for a minute or so *after* the user closes gaim - probably due to
the fact that after gaim is closed a session ID from hotmail will
change, therefore making your session ID in the 'stolen' file incorrect.
That session ID is a total guess btw, I've hardly looked into this
problem, but it seems a logical answer due to this:

more /tmp/file*
<skipped for easy reading>...

<input type="hidden" name="auth"
value="2AAAAAAAADfFg7dCWdlevXUGqgbzqmlMlWYjtXUaSbSpr*zqdYziwIhw$$">
<input type="hidden" name="creds"
value="aec291f9a02b4837de38eb661dbf9847">

*TESTING*

To best test for this problem, I suggest you remove all the old files in
/tmp called file<something>, then run gaim, and re-check in /tmp - and
you'll then be able to distinguish which are the new files.

To resolve this issue, a basic method would be to recompile gaim with
corrected permission settings for the /tmp files. This would then only
allow the gaim user to access the files, and not every other lamer on
the system.

Thanks.

Scott.

Below is a shell output of this attack:

[smackenz@smackenz smackenz]$ ls /tmp |grep file*
[smackenz@smackenz smackenz]$ id
uid=500(smackenz) gid=500(smackenz) groups=500(smackenz)
[smackenz@smackenz smackenz]$ gaim
[smackenz@smackenz smackenz]$ ls /tmp |grep file*
file8veFxR
fileKGVdms
[smackenz@smackenz smackenz]$ su user
Password:
[user@smackenz smackenz]$ id
uid=501(user) gid=501(user) groups=501(user)
[user@smackenz user]$ ls -las /tmp/file*
   4 -rw-rw-r-- 1 smackenz smackenz 978 May 12 03:11
/tmp/file8veFxR
   4 -rw-rw-r-- 1 smackenz smackenz 978 May 12 03:11
/tmp/fileKGVdms
[user@smackenz user]$ cd /tmp
[user@smackenz tmp]$ ls |grep file
fileCHuvIp
fileFbpaYB
[user@smackenz tmp]$ galeon fileCHuvIp

woopie, you've ''hacked'' into hotmail via gaim..' all the kiddies
trying to 'hack hotmail' all day should take this opportunity to pat
themselves on the back for their l33tness or whatever they call it..

Later.

Scott.
Bradford Uni, UK.
--------------------------------------------------
Greets: deadbeat; "where's my modem man!" :-)
--------------------------------------------------

Relevant Pages

  • Re: [SLE] GAIM vs. Kopete
    ... >hotmail account and GAIM cannot? ... Kopete can even bring up your hotmail ... >Is something like this being worked on in GAIM? ...
    (SuSE)
  • Gaim abritary Email Reading
    ... Simple if gaim is running, ... Messenger and MSN Messenger. ... hotmail email when gaim starts. ... To enable this, run gaim, go into accounts, and open your MSN account ...
    (Bugtraq)
  • [UNIX] Gaim Arbitrary Email Access
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Gaim lets you use AIM, ICQ, Yahoo, MSN, IRC, Jabber, ... Gaim starts up and checks your hotmail email (if this option is enabled ...
    (Securiteam)
  • Re: Gaim currently broken in unstable?
    ... > replaced by gaim:S Freaky! ... I just logged in to Gaim MSN with a hotmail. ... To UNSUBSCRIBE, email to debian-user-request@lists.debian.org ...
    (Debian-User)
  • Re: IM Query
    ... I use it for both my Yahoo and MSN IM accounts. ... GAIM works good, i have till date not used the orginal IM clients from ...
    (RedHat)