Re: [xmpp] IQ Handling vulnerabilities

Matt Miller <mamille2@cisco.com> Thu, 06 February 2014 22:14 UTC

Return-Path: <mamille2@cisco.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 970ED1A0504 for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 14:14:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9A-FNzfemiR for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 14:14:26 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by ietfa.amsl.com (Postfix) with ESMTP id 69E151A0467 for <xmpp@ietf.org>; Thu, 6 Feb 2014 14:14:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2787; q=dns/txt; s=iport; t=1391724864; x=1392934464; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=zLOi/VCV3Tp5MIFlBv2cN8cQh+BjwpFqTqlmts7hV0M=; b=BvrkhUe4H8zCyl9ciG7okkSgg+YjjuCjMQsod7U5F4WLVF8ezp8ZnxfK wGV46Vvkyl0Zyvo4EAkpYKgcOYwvqdVLE/wAs7x+2H8qgjyo2XNugVBX3 X9jV1pKxcjBfM1APiHEWtSy/RAGb9ESP7LnxnNrjPhl19FlMQBGEAy6SC E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag4FAL4I9FKtJXG9/2dsb2JhbABZgww4V75uCYEPFnSCJQEBAQQBAQFrChELGAkWDwkDAgECARUWGgYBDAYCAQEXh2oNzREXjkc6hDgEiRE4jmKSIYNNggo
X-IronPort-AV: E=Sophos;i="4.95,796,1384300800"; d="scan'208";a="18589473"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by alln-iport-2.cisco.com with ESMTP; 06 Feb 2014 22:14:24 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id s16MENUs028032 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Feb 2014 22:14:23 GMT
Received: from excelsior.local (10.89.10.147) by xhc-rcd-x05.cisco.com (173.37.183.79) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 6 Feb 2014 16:14:23 -0600
Message-ID: <52F4093E.8000704@cisco.com>
Date: Thu, 6 Feb 2014 15:14:22 -0700
From: Matt Miller <mamille2@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>, Kevin Smith <kevin@kismith.co.uk>, XMPP Working Group <xmpp@ietf.org>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <CF194491.38AD3%jhildebr@cisco.com>
In-Reply-To: <CF194491.38AD3%jhildebr@cisco.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.89.10.147]
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 22:14:28 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2/6/14, 2:58 PM, Joe Hildebrand (jhildebr) wrote:
> (as individual)
> 
> I think this is a very important issue.  I'm worried about the
> security impact, and I think we need to give good guidance.
> 
> (as co-chair)
> 
> Who else thinks we need to work on this?
> 
> Can we start with an individual I-D that lays out the problem and 
> solution?  That would allow us to make good decisions about what
> the next step would be.  Kev, that might be pretty quick for you to
> write...
> 
> 
> 
> On 2/6/14 3:26 AM, "Kevin Smith" <kevin@kismith.co.uk> wrote:
> 
>> Hi folks, Discussion in the XSF and at the recent XMPP Summit has
>> shown that there are widespread issues with handling of iq
>> responses in XMPP software. This is probably something we need to
>> consider handling.
>> 
>> The basis of this is that many libraries/clients a) Only check
>> the id of an iq error/result, not the sender, to check it matches
>> one they've sent (Very Wrong) b) Use predictably generated ids
>> for stanzas (ill-advised, but not strictly wrong) c) Use known
>> resource strings (bad, but not strictly wrong)
>> 
>> In conjunction, this leads to various obvious attacks with
>> differing levels of severity, but for the sake of enumerating
>> some, with some good fortune with timing against a vulnerable
>> client you can: Fake contacts', or even their own, vcards; fake
>> their roster so they think people have 'unfriended' them, or that
>> they have already added someone unknown; deny capabilities
>> discovery; make them think their server doesn't have a MUC
>> service; and the list goes on and on.
>> 
>> We certainly need to call this out explicitly in 3920ter, We
>> might want to publish something in the interim.
>> 
>> /K _______________________________________________ xmpp mailing
>> list xmpp@ietf.org https://www.ietf.org/mailman/listinfo/xmpp
>> 
> 
> 

I agree this is an important issue that needs to be addressed.  I
think someone submitting an I-D is a fine starting point.


- -- 
- - m&m

Matt Miller < mamille2@cisco.com >
Cisco Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCgAGBQJS9Ak+AAoJEDWi+S0W7cO17IgH/2XbPvHedoSvsOY0L/LEcvu6
cfeDRy7ErMMgp+Evb6UTSCETNm20WYTUEsYGVigUV02HsV5GhJFswtrr+vk5hG3n
uF94GmTCRSTTbn0CIbCfgwq5bDJrtRbi0DkpzPP1ZD7t1QZaFjhi39t6XjGc3u9d
hkKvG/XS2bB/C+71X9jYEeReEMZdUc/bXgwTCTzD84GVVMIK0QisfJBQw6o6blXI
03FzvSn8qwZiQ3YBhrPNndKflFv0uRU4mOO9N/SYXpJjtMmqu2i6wA1v5rvct3H9
EnoMz03GZ0xxZDo07aBqHjCivAji9AKZ+Dpgw+sBM6H2X8OIdONM0L823qIEuTI=
=2sJN
-----END PGP SIGNATURE-----