GoToMeeting Information Disclosure via Logging Output (Android)

2014.01.27
Credit: Claudio J. Lacayo
Risk: Low
Local: Yes
Remote: No
CVE: CVE-2014-1664
CWE: CWE-200


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

1. ADVISORY INFORMATION ======================== Title: GoToMeeting Information Disclosure via Logging Output (Android) CVE: CVE-2014-1664 CVE Information: ASSIGNED Date published: PUBLIC Date of last update: 01/23/2014 Vendor Contacted: Citrix Release mode: Coordinated Release 2. VULNERABILITY INFORMATION ============================= Class: Information Disclosure Impact: CVSS Details specified below Remotely Exploitable: No Locally Exploitable: Yes CVE Name: [CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android) 3. VULNERABILITY DESCRIPTION ============================ The latest release of the software is vulnerable to information disclosure via logging output, resulting in the leak of userID, meeting details, and authentication tokens. Android applications with permissions to read system log files may obtain the leaked information. 4. VULNERABLE PACKAGES ====================== - com.citrixonline.android.gotomeeting-1.apk version 5.0.799.1238 (Android) 5. NON-VULNERABLE PACKAGES ========================== - other platforms untested 6. CREDITS =========== This vulnerability was discovered and researched by Claudio J. Lacayo. 7. TECHNICAL DESCRIPTION / PROOF OF CONCEPT CODE ================================================= <! ----- SNIPPET ------- !> D/G2M (32190): HttpRequest to: https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] E/qcom_sensors_hal( 787): hal_process_report_ind: Bad item quality: 11 D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms D/G2M (32190): HttpRequest response from: GET https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] -> 200 D/G2M (32190): HttpRequest response body: GET https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED] -> {"Status":"Redirect","RedirectHost":"www1.gotomeeting.com","MeetingId":" [MEETING_ID_REDACTED]"} D/G2M (32190): Got 302 from legacy JSON API: www1.gotomeeting.com D/G2M (32190): HttpRequest to: https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?andro id=true&MeetingID=[MEETING_ID_REDACTED] D/G2M (32190): HttpRequest response from: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?andro id=true&MeetingID=[MEETING_ID_REDACTED] -> 200 D/G2M (32190): HttpRequest response body: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?andro id=true&MeetingID=[MEETING_ID_REDACTED] -> {"Status":"MeetingNotStarted","MeetingId":"[MEETING_ID_REDACTED]","IsRec urring":false,"Endpoints":["Native"],"OrganizerName":"[REDACTED]","Subje ct":"[REDACTED]","MaxAttendees":100,"IsWebinar":false,"AudioParameters": {"CommParams":{"disableUdp":false},"ConferenceParams":{"supportedModes": "VoIP,PSTN,Private","initialMode":"Hybrid","SpeakerInfo":{"PhoneInfo":[{ "description":"Default","number":"[REDACTED],"authToken":"AAFe4rYexu4Dm7 qrL45/Egx+AAAAAFLdeSkAAAAAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa","accessCode" :"REDACTED"},"userId":"userId","authToken":"EAEBAQEBAQEBAQEBAQEBAQE=","p rivateMessage":"","audioKey":-1,"BridgeMutingControl":true,"VCBParams":{ "Codec":[{"payloadType":103,"frameLength":30,"name":"ISAC","bitrate":320 00,"channels":1,"samplingRate":16000},{"payloadType":0,"frameLength":20, "name":"PCMU","bitrate":64000,"ch annels":1,"samplingRate":8000}],"VCB":{"port":5060,"ipAddr":"10.23.70.15 1"},"Options":{"asUpdates":true,"rtUpdates":true,"dtx":false}}}},"EndTim e":1390239900000,"StartTime":1390237200000,"IsImpromptu":false} D/G2M (32190): Got response from legacy JSON API: 200 D/G2M (32190): JoinService: Attempting to join Meeting D/G2M (32190): MeetingService: Starting Meeting join on legacy... D/G2M (32190): HttpRequest to: https://www.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?androi d=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRU VwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=goo gle,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVer sionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,Cp uABI=armeabi-v7a D/G2M (32190): ServiceResolver: COLService: BaseURL [https://www1.gotomeeting.com], isLegacy [true}, isWebinar [false] D/G2M (32190): HttpRequest response from: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&Phone Info=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,Buil dType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVer sionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=ham merhead,Device=hammerhead,CpuABI=armeabi-v7a -> 302 D/G2M (32190): HttpRequest response body: GET https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Porta l=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&Phone Info=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,Buil dType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVer sionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=ham merhead,Device=hammerhead,CpuABI=armeabi-v7a -> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <! ----- SNIPPET ------- !> 8. CVSS 2.0 BASE METRICS ======================== Reference Base Vector Base Score CVSS Base Score 5.4 Impact Subscore 7.8 Exploitability Subscore 3.4 CVSS Temporal Score 5.1 CVSS Environmental Score 6.6 Modified Impact Subscore 10 Overall CVSS Score 6.6 9. REPORT TIMELINE ================== [1] 01/20/2014 - Vulnerability discovered, internal contact notified [2] 01/21/2014 - Citrix security team notified via email [3] 01/22/2014 - Citrix asked for testing environment details; provided. [4] 01/23/2014 - CVE provided by CNA; public disclosure. 10. REFERENCES ============= https://www.securecoding.cert.org/confluence/display/java/DRD04-J.+Do+not+log+sensitive+information https://play.google.com/store/apps/details?id=com.nolanlawson.logcat&hl=en https://drive.google.com/file/d/0B3eEtV83VTFUWEgxSTRac3JvZlk/edit?usp=sharing http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

References:

https://www.securecoding.cert.org/confluence/display/java/DRD04-J.+Do+not+log+sensitive+information
https://play.google.com/store/apps/details?id=com.nolanlawson.logcat&hl=en
https://drive.google.com/file/d/0B3eEtV83VTFUWEgxSTRac3JvZlk/edit?usp=sharing
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top