[CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android)

[cjlacayo () gmail com]

1. ADVISORY INFORMATION
========================
Title: GoToMeeting Information Disclosure via Logging Output (Android)
CVE: CVE-2014-1664
CVE Information: ASSIGNED
Date published: PUBLIC
Date of last update: 01/23/2014
Vendor Contacted: Citrix
Release mode: Coordinated Release

2. VULNERABILITY INFORMATION
=============================
Class:  Information Disclosure
Impact: CVSS Details specified below
Remotely Exploitable: No
Locally Exploitable:  Yes
CVE Name: [CVE-2014-1664] GoToMeeting Information Disclosure via Logging Output (Android)

3. VULNERABILITY DESCRIPTION
============================
The latest release of the software is vulnerable to information disclosure via logging output, resulting in the leak of 
userID, meeting details, and authentication tokens. Android applications with permissions to read system log files may 
obtain the leaked information.

4. VULNERABLE PACKAGES
======================
- com.citrixonline.android.gotomeeting-1.apk version 5.0.799.1238 (Android)

5. NON-VULNERABLE PACKAGES
==========================
- other platforms untested

6. CREDITS
===========
This vulnerability was discovered and researched by Claudio J. Lacayo.

7. TECHNICAL DESCRIPTION / PROOF OF CONCEPT CODE
=================================================
<! ----- SNIPPET ------- !>

D/G2M     (32190): HttpRequest to: 
https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
E/qcom_sensors_hal(  787): hal_process_report_ind: Bad item quality: 11 
D/dalvikvm(32190): GC_CONCURRENT freed 1322K, 43% free 20491K/35456K, paused 6ms+1ms, total 33ms
D/G2M     (32190): HttpRequest response from: GET 
https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
 -> 200
D/G2M     (32190): HttpRequest response body: GET 
https://www2.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]
 -> {"Status":"Redirect","RedirectHost":"www1.gotomeeting.com","MeetingId":"[MEETING_ID_REDACTED]"}
D/G2M     (32190): Got 302 from legacy JSON API: www1.gotomeeting.com
D/G2M     (32190): HttpRequest to: 
https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]
D/G2M     (32190): HttpRequest response from: GET 
https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 200
D/G2M     (32190): HttpRequest response body: GET 
https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED] -> 
{"Status":"MeetingNotStarted","MeetingId":"[MEETING_ID_REDACTED]","IsRecurring":false,"Endpoints":["Native"],"OrganizerName":"[REDACTED]","Subject":"[REDACTED]","MaxAttendees":100,"IsWebinar":false,"AudioParameters":{"CommParams":{"disableUdp":false},"ConferenceParams":{"supportedModes":"VoIP,PSTN,Private","initialMode":"Hybrid","SpeakerInfo":{"PhoneInfo":[{"description":"Default","number":"[REDACTED],"authToken":"AAFe4rYexu4Dm7qrL45/Egx+AAAAAFLdeSkAAAAAUt7KqUbWYmXH3OcczkhGaWRf0wM2OKWa","accessCode":"REDACTED"},"userId":"userId","authToken":"EAEBAQEBAQEBAQEBAQEBAQE=","privateMessage":"","audioKey":-1,"BridgeMutingControl":true,"VCBParams":{"Codec":[{"payloadType":103,"frameLength":30,"name":"ISAC","bitrate":32000,"channels":1,"samplingRate":16000},{"payloadType":0,"frameLength":20,"name":"PCMU","bitrate":64000,"ch
 
annels":1,"samplingRate":8000}],"VCB":{"port":5060,"ipAddr":"10.23.70.151"},"Options":{"asUpdates":true,"rtUpdates":true,"dtx":false}}}},"EndTime":1390239900000,"StartTime":1390237200000,"IsImpromptu":false}
D/G2M     (32190): Got response from legacy JSON API: 200
D/G2M     (32190): JoinService: Attempting to join Meeting
D/G2M     (32190): MeetingService: Starting Meeting join on legacy...
D/G2M     (32190): HttpRequest to: 
https://www.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
D/G2M     (32190): ServiceResolver: COLService: BaseURL [https://www1.gotomeeting.com], isLegacy [true}, isWebinar 
[false]
D/G2M     (32190): HttpRequest response from: GET 
https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
 -> 302
D/G2M     (32190): HttpRequest response body: GET 
https://www1.gotomeeting.com/meeting/getInfo/[MEETING_ID_REDACTED]?Portal=www.gotomeeting.com&android=true&MeetingID=[MEETING_ID_REDACTED]&PhoneInfo=,MachineID=WFNUUVtWBVRUVwRQAwUCAA==,G2MAppVersion=5.0.799.1238,BuildType=releaseBuild,Brand=google,Manufacturer=LGE,Model=Nexus5,AndroidVersionRelease=4.4.2,AndroidVersionIncremental=937116,ID=KOT49H,Product=hammerhead,Device=hammerhead,CpuABI=armeabi-v7a
 -> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<! ----- SNIPPET ------- !>

8. CVSS 2.0 BASE METRICS
========================
Reference Base Vector Base Score
CVSS Base Score
5.4
Impact Subscore
7.8
Exploitability Subscore
3.4
CVSS Temporal Score
5.1
CVSS Environmental Score
6.6
Modified Impact Subscore
10
Overall CVSS Score
6.6
        
9. REPORT TIMELINE
==================
[1] 01/20/2014 - Vulnerability discovered, internal contact notified
[2] 01/21/2014 - Citrix security team notified via email
[3] 01/22/2014 - Citrix asked for testing environment details; provided.
[4] 01/23/2014 - CVE provided by CNA; public disclosure.

10. REFERENCES
=============
https://www.securecoding.cert.org/confluence/display/java/DRD04-J.+Do+not+log+sensitive+information
https://play.google.com/store/apps/details?id=com.nolanlawson.logcat&hl=en
https://drive.google.com/file/d/0B3eEtV83VTFUWEgxSTRac3JvZlk/edit?usp=sharing
http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2