Re: [xmpp] IQ Handling vulnerabilities

Dave Cridland <dave@cridland.net> Fri, 07 February 2014 15:50 UTC

Return-Path: <dave@cridland.net>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3B801AC7EF for <xmpp@ietfa.amsl.com>; Fri, 7 Feb 2014 07:50:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3JX4oJXZStSC for <xmpp@ietfa.amsl.com>; Fri, 7 Feb 2014 07:50:54 -0800 (PST)
Received: from mail-oa0-x234.google.com (mail-oa0-x234.google.com [IPv6:2607:f8b0:4003:c02::234]) by ietfa.amsl.com (Postfix) with ESMTP id 27EF41AC497 for <xmpp@ietf.org>; Fri, 7 Feb 2014 07:50:52 -0800 (PST)
Received: by mail-oa0-f52.google.com with SMTP id i4so4382167oah.39 for <xmpp@ietf.org>; Fri, 07 Feb 2014 07:50:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=I7tEC06xO+Mw4WMyE4C1m8p+v1gkzAfyfgF3p8E18uo=; b=HutpoTsj5wxOu/zXT2/kto5WmWZDHXaaqXXgejelr9IEbcRKT3jyV23Tx5enoq2LG8 1bt+k/iJD5ugDf1TiCB754dvRtg6V+nopynYnoiwAoGzKJn3eec6znSz5S40H4dicy3Y efIIHiiRx0oV1vNFkmQY8PkHYNnD0wocaNS04=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=I7tEC06xO+Mw4WMyE4C1m8p+v1gkzAfyfgF3p8E18uo=; b=j4X9LEDYpYYn5mZbW+/8xiHLjX91zJv2KAL0tzxqgOOL7bbNK3OPIl0T/m8Sp69jwh MMzdLn9vBUZ3qD1vRXEVFdIC0GkL9Iuohjj76Bf1YK4RIVqq4BimKKyinjebjqTwiO2l T1dJVGfkhLL6faxOjVOz4I5gcb4OgE+88v+uuuqCAI/i4KZKebU8Ew9axPVg5xUFHlDe uXoti2f05rrnpv6RW6E2bBoATrVEErqw/A93xOZd409N6WQnJJkSXX5YSMzTPqqaVan/ cKka2XCiUvy8HBVOS31KgH5KUVWdKvIX/DkVeeOBwl5Ko+fmkWZ+csNZAiOBh8B2YvFd VhPg==
X-Gm-Message-State: ALoCoQle/HgQz+uIC/Kkm2t6Y/I7o1OU64BNCQIST6aAADrouUnL6oy9c9NJbsDtbKeEVYTnoPs7
MIME-Version: 1.0
X-Received: by 10.182.157.114 with SMTP id wl18mr13380577obb.52.1391788251817; Fri, 07 Feb 2014 07:50:51 -0800 (PST)
Received: by 10.60.55.138 with HTTP; Fri, 7 Feb 2014 07:50:51 -0800 (PST)
In-Reply-To: <CF1A369C.38BE2%jhildebr@cisco.com>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <CF194491.38AD3%jhildebr@cisco.com> <2F5E925F-021D-408E-91D9-3CC5BEB6BEC6@nostrum.com> <48F4D361-4403-47E6-862D-FBDDDEBCC642@xnyhps.nl> <CF1A369C.38BE2%jhildebr@cisco.com>
Date: Fri, 7 Feb 2014 15:50:51 +0000
Message-ID: <CAKHUCzyCwKbmnUoXLHW=XzYbiFrcg-dQsDojGUnA-_r3qK+_Vg@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
To: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
Content-Type: multipart/alternative; boundary=f46d041828305a3fe004f1d2f49e
Cc: Ben Campbell <ben@nostrum.com>, XMPP Working Group <xmpp@ietf.org>
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2014 15:50:56 -0000

On Fri, Feb 7, 2014 at 3:10 PM, Joe Hildebrand (jhildebr) <
jhildebr@cisco.com> wrote:

> On 2/7/14 2:46 AM, "Thijs Alkemade" <thijs@xnyhps.nl> wrote:
>
> >The property we really want from ids is that predicting the next one(s)
> >given
> >some historic ones is hard.
>
> (as individual)
>
> I agree with everything you said to this point.  However, I think we need
> to strengthen this a little: we want to ensure predicting the next one(s)
> in *any* way is hard.
>
> Luckily using the from address also mitigates this need slightly for some
> of the use cases.
>

What are the attacks possible against an entity using predictable stanza
ids, but which otherwise acts properly (ie, checks to/from on responses,
etc)?

I'm a bit confused - if an entity isn't checking the to/from of the
responses, then sure there's a slew of attacks possible. If it *also* has
predictable ids, then the attacks are easier - but they're the same
attacks. Aren't they?

I'm not saying that we shouldn't generally recommend unpredictable ids - it
seems relatively simple and causes little harm - but cryptographically
secure ones seems overkill, and I'm always nervous of imposing unneeded
drains on the entropy store of a system.

Also, I've mentioned this elsewhere, but I'll mention it here too: much of
the XMPP community seems focussed on clients exhibiting this class of bug,
and attacks against those clients. I strongly suspect that not all servers
are immune to this, and the attacks on servers are likely to be just as
fascinating.

Dave.