How to Spoof Another User in MindAlign
by Terrible Doe
I work for a large financial corporation in the U.K. as a software developer. The company uses an internal chat system called MindAlign.
It was originally developed by a company called Parlano, but was bought by Microsoft and killed in favor of their own OCS GroupChat. However, MindAlign is still in use by five of the top seven global banks and many other organizations. Chances are if you've worked in a bank, you'll have this software installed.
Initially, the program itself doesn't appear very interesting. It uses a simple enough interface that allows the user to join in group chats, send private messages to people, manage chat history, and other Instant Messenger type features. MindAlign launches automatically and without any prompt when the user logs in. I assumed that it used Windows Authentication to identify the user and log them onto the chat system. I used it for a few days without thinking too much about it.
Several months later, during a normal business chat with a colleague, I noticed that the chat software highlighted and created a link based on a word that was preceded with a hash (e.g., #test). Clicking the #-word launches a window saying "Unable to create ad-hoc channel." This type of "#" identification reminded me of IRC.
That is when I decided to start looking into MindAlign a bit more. Sure enough, Parlano built the system on top of a standard IRC server with a Windows client on top. Not only that, but with a bit of digging around in the software logs, I saw that the client was not using Windows Authentication, but a token based Single Sign-On (SSO) system.
As per normal, the usual warnings apply. This is for information purposes only and if you get caught doing any of the things I mention, you could get fired or even prosecuted. So don't be stupid.
The first stop for me was the program data (typically installed to C:\Program Files\Parlano\MindAlign). I looked through the config files, executables, and logs. The logs did show what looked like connections to an IRC server, but there was limited information.
Eventually, I found a file called: logConfig.props
In this file, I changed the logging settings to VERBOSE to get the most data I could out of the system, and then I restarted the MindAlign software. Bingo!
The logs now contained lots of messages related to the initial SSO connection and the subsequent connection to the IRC server.
Now that I had the IRC server info, I immediately connected to the server and tried various ways to log into it. Nothing seemed to work even though it behaved like a standard IRC server. Back in the logs, I found that authenticating to the IRC server was done based on a token system driven by the SSO software.
Below is an example of the log data:
From that point, it was fairly simple to set up the hack.
Access to the target's machine is essential (easy enough for IT folk, but maybe a bit trickier for normal users). Modify the logging properties of the logConfig.props file to output in VERBOSE mode. Once that's been done, it will be easy to get the authentication token and user information.
Access the target's most recent log file and collect the AUTH key, USER, and NICK.
From there, simply connect to the IRC server and send the commands just like above (follow the << prompts).
Since the authorization has already been completed on the target's machine, the key will be valid even though a different NICK may be needed since the target is probably still connected.
The digits with the % in front of them are the UID of the signed in user. Once you've connected, you will appear as the target USER (even if the NICK is different) since the chat client software only looks at the mapped UID token.
This enables you to send messages around the office as the target by using the UID of the user to PRIVMSG. These UIDs can be gathered from the log as well.
Send a PRIVMSG using the syntax below:
The failure here is that:
Hopefully this article will open their eyes to these glaring holes.
Thanks to BearJew for the testing help.