Re: [xmpp] IQ Handling vulnerabilities

"Joe Hildebrand (jhildebr)" <jhildebr@cisco.com> Thu, 06 February 2014 21:58 UTC

Return-Path: <jhildebr@cisco.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42CA11A044D for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 13:58:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8kNkGwUzsF5p for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 13:58:48 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by ietfa.amsl.com (Postfix) with ESMTP id 7DC361A044C for <xmpp@ietf.org>; Thu, 6 Feb 2014 13:58:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1797; q=dns/txt; s=iport; t=1391723927; x=1392933527; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=pH1JY0HDIIJmL4rK/1Qa79MMZtyRWLhSonUoGuDSnvM=; b=O4k9U//+rxN7eOC2dRmw9N7snb5XKitp1QmzITXPu5VVpqgZyAlJRp/k 4/R8ViDcckNAhuJupQ7g4MpcikrWLet7tHf9nHYsHzSskiJomKlcoC0YT f4rcmKYREgoAz5G6q/7MP9ngziZsKbC9ft4fgJosNOUjvc0gS0LkZOL9x Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgwFADYE9FKtJV2Z/2dsb2JhbABZgww4V753gQ8WdIImAQEEAQEBNzQbAgEINhAnCyUCBAESG4dqDc0HEwSPAYQ4BJgrkiGDLYIq
X-IronPort-AV: E=Sophos;i="4.95,796,1384300800"; d="scan'208";a="18583106"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-3.cisco.com with ESMTP; 06 Feb 2014 21:58:47 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s16Lwlvp017967 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Feb 2014 21:58:47 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.55]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.03.0123.003; Thu, 6 Feb 2014 15:58:46 -0600
From: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
To: "kevin@kismith.co.uk" <kevin@kismith.co.uk>, XMPP Working Group <xmpp@ietf.org>
Thread-Topic: [xmpp] IQ Handling vulnerabilities
Thread-Index: AQHPIy5NY8RkLrfuaUqqtuYhYOIBR5qopVEA
Date: Thu, 6 Feb 2014 21:58:45 +0000
Message-ID: <CF194491.38AD3%jhildebr@cisco.com>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com>
In-Reply-To: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [10.154.232.38]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5BD492AD7A714F4BB034AB21BB2ACC6C@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 21:58:50 -0000

(as individual)

I think this is a very important issue.  I'm worried about the security
impact, and I think we need to give good guidance.

(as co-chair)

Who else thinks we need to work on this?

Can we start with an individual I-D that lays out the problem and
solution?  That would allow us to make good decisions about what the next
step would be.  Kev, that might be pretty quick for you to write...



On 2/6/14 3:26 AM, "Kevin Smith" <kevin@kismith.co.uk> wrote:

>Hi folks,
>  Discussion in the XSF and at the recent XMPP Summit has shown that
>there are widespread issues with handling of iq responses in XMPP
>software. This is probably something we need to consider handling.
>
>The basis of this is that many libraries/clients
>a) Only check the id of an iq error/result, not the sender, to check
>it matches one they've sent (Very Wrong)
>b) Use predictably generated ids for stanzas (ill-advised, but not
>strictly wrong)
>c) Use known resource strings (bad, but not strictly wrong)
>
>In conjunction, this leads to various obvious attacks with differing
>levels of severity, but for the sake of enumerating some, with some
>good fortune with timing against a vulnerable client you can: Fake
>contacts', or even their own, vcards; fake their roster so they think
>people have 'unfriended' them, or that they have already added someone
>unknown; deny capabilities discovery; make them think their server
>doesn't have a MUC service; and the list goes on and on.
>
>We certainly need to call this out explicitly in 3920ter, We might
>want to publish something in the interim.
>
>/K
>_______________________________________________
>xmpp mailing list
>xmpp@ietf.org
>https://www.ietf.org/mailman/listinfo/xmpp
>


-- 
Joe Hildebrand