Cenzic 232 Patent
Paid Advertising
web application security lab

Google Desktop 0day

Well fast on the heels of the Firefox plugin MITM vulnerabilities I’ve been working on some other stuff that I think is interesting and of the same genre. This time I came up with a MITM exploit against Google Desktop that would allow an attacker to trick a user into running any program they have installed and that was indexed by Google Desktop. Nasty. I have a pretty thorough writup and a sample video (please read the text before you launch the video or it won’t make much sense).

Using something like Airpwn an attacker can sit in a wireless hotspot and wait for someone who has Google desktop installed (since we can detect for that) and run the exploit against them. It could be done as a prank or something malicious. The point being these types of deep integration between the web and client side applications is really dangerous and breaks the security models put in place by the browsers.

15 Responses to “Google Desktop 0day”

  1. kuza55 Says:

    Did you by any chance manage to pass arguments to the programs you called?

    Because unless we can do that, I don’t see how this could be very useful to an attacker who wants to do something other than annoy users, because even an uninstall program needs the user to click next on all the screens, etc.

  2. RSnake Says:

    I was unable to pass arguments (although I by no means exhausted my attempts - I just gave up once I found this much). Feel free to try. But while you say that it can annoy users, that’s not totally true… lots of programs automatically make connections out to the web insecurely and those too can be subverted. I didn’t bother going further down that path, but I feel very confident with not much work this could be turned into something very bad.

  3. kuza55 Says:

    Don’t get me wrong, its definitely something which shouldn’t be happening, I just don’t see this making much of a difference in anything other than small amount of cases where the user either has programs which download updates over insecure connections (and don’t do signature checks) or has some programs which you have exploits for (e.g. outdated Apache), but which the user wouldn’t willingly run in a hostile environment.

    Actually, I just had an epiphany; could you get a user to download an executable into their temp folder, and then somehow get it indexed and then launched? I’d check, but I’m going out soon, and I haven’t played with Google Desktop.

  4. Yair Says:

    Hi RSnake,

    A cool finding! :)
    I believe there is another mitigating factor for this attack: turning off the ‘Google Integration’ feature (can be performed in the preferences page of Google Desktop).
    This action should protect the user from the attack you described by removing links to localhost from the Google.com domain.

  5. Ronald van den Heetkamp Says:

    You mean like: http://download.watchfire.com/googledesktopdemo/index.htm

    That was a cool hack, but it doesn’t work anymore.

  6. MrNGm Says:

    Dugg it this morning (some 8 hours ago). I thought it was something rather important.

  7. Jeremiah Blatz Says:

    If only we had some sort of technology to protect against MITM attacks…

  8. anon Says:

    @blatz: i created one. i call it secure socket layer. it uses a new fangled technology called public key cryptography to (among) verify that you are talking to the right person AND ensures the integrity of each message i sent.

    ya, i know i’m a genius.

  9. Alex Says:

    Well, I’m just a little bit confused.
    Danny Allan, a guy from Watchfire, has written something similar or maybe exactly the same at the same day.
    Here is an online article from a German publisher, which talks about the 0-day from Allan and uses your video on Google and links to http://ha.ckers.org/google-desktop-0day , too.

    So, now tell me that you’ve changed your name and face and everything’s alright. But if you say, that you’re the same guy as before, I’ll write to the publisher and ask for deleting the links or that you’ll be mentioned on the site.
    Okay ?

  10. Alex Says:

    Ups, I forgot the link (German article):
    http://www.heise.de/newsticker/meldung/90528

  11. RSnake Says:

    Alex, I think that is a super old vuln. That’s like at least a few versions of Google Desktop ago, and at least that old version of the website. I think they were just pointing out older stuff, as an example of how Google Desktop has a history of flaws.

  12. Alex Says:

    But they do say that your work as been done by someone else.
    I’ll translate some sentences:
    “Die weiteren Details des Angriffes führt Allan in einer Präsentation sowie einem kurzen Film auf Google-Video aus.”
    =>
    “(Danny) Allan shows further details of the attack in a presentation and in a short video on Google-Video.”

    “Wie den Kommentaren seines Blogs zu entnehmen ist …”
    =>
    “According to the comments of his blog ( http://ha.ckers.org/blog/20070531/google-desktop-0day/ ) …”

    Another quote:
    http://ha.ckers.org/google-desktop-0day/ - weitere Ausführungen von Allan zur Lücke
    http://video.google.com/videoplay?docid=2726113702646327649 - Videodemonstration der Schwachstelle

    => Link 1 - further details of the vulnerability from Allan
    => Link 2 - Video demonstration of the vulnerability

    And that’s a news, not an old article …

  13. Tips Dr.com Says:

    Google Desktop Zero Day Exploit

    RSnake from ha.ckers.org has posted an example of a zero day exploit using Google Desktop that he says you could use to do almost anything on someone’s computer who has Google Desktop installed. Someone could could use a wireless hotspot to monit…

  14. Ronald van den Heetkamp Says:

    I think it’s referenced to Yair Amit, but that wasn’t a wireless version.

    ah, it’s Wireless & it’s Google so I don’t care anyway. But besides that, the point really is the danger of desktop apps communicating I/O which lead to a new landscape of attacks and exploits.

  15. Alex Says:

    I’ve reported the mistake to the publisher Heise. The corrected version of the news is online now. Now the speak from RSnake and id. ;)