Re: [xmpp] IQ Handling vulnerabilities
Matt Miller <mamille2@cisco.com> Thu, 06 February 2014 22:14 UTC
Return-Path: <mamille2@cisco.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 970ED1A0504 for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 14:14:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.036
X-Spam-Level:
X-Spam-Status: No, score=-10.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9A-FNzfemiR for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 14:14:26 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) by ietfa.amsl.com (Postfix) with ESMTP id 69E151A0467 for <xmpp@ietf.org>; Thu, 6 Feb 2014 14:14:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2787; q=dns/txt; s=iport; t=1391724864; x=1392934464; h=message-id:date:from:mime-version:to:subject:references: in-reply-to:content-transfer-encoding; bh=zLOi/VCV3Tp5MIFlBv2cN8cQh+BjwpFqTqlmts7hV0M=; b=BvrkhUe4H8zCyl9ciG7okkSgg+YjjuCjMQsod7U5F4WLVF8ezp8ZnxfK wGV46Vvkyl0Zyvo4EAkpYKgcOYwvqdVLE/wAs7x+2H8qgjyo2XNugVBX3 X9jV1pKxcjBfM1APiHEWtSy/RAGb9ESP7LnxnNrjPhl19FlMQBGEAy6SC E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag4FAL4I9FKtJXG9/2dsb2JhbABZgww4V75uCYEPFnSCJQEBAQQBAQFrChELGAkWDwkDAgECARUWGgYBDAYCAQEXh2oNzREXjkc6hDgEiRE4jmKSIYNNggo
X-IronPort-AV: E=Sophos;i="4.95,796,1384300800"; d="scan'208";a="18589473"
Received: from rcdn-core2-2.cisco.com ([173.37.113.189]) by alln-iport-2.cisco.com with ESMTP; 06 Feb 2014 22:14:24 +0000
Received: from xhc-rcd-x05.cisco.com (xhc-rcd-x05.cisco.com [173.37.183.79]) by rcdn-core2-2.cisco.com (8.14.5/8.14.5) with ESMTP id s16MENUs028032 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 6 Feb 2014 22:14:23 GMT
Received: from excelsior.local (10.89.10.147) by xhc-rcd-x05.cisco.com (173.37.183.79) with Microsoft SMTP Server (TLS) id 14.3.123.3; Thu, 6 Feb 2014 16:14:23 -0600
Message-ID: <52F4093E.8000704@cisco.com>
Date: Thu, 06 Feb 2014 15:14:22 -0700
From: Matt Miller <mamille2@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>, Kevin Smith <kevin@kismith.co.uk>, XMPP Working Group <xmpp@ietf.org>
References: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com> <CF194491.38AD3%jhildebr@cisco.com>
In-Reply-To: <CF194491.38AD3%jhildebr@cisco.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.89.10.147]
Subject: Re: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 22:14:28 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2/6/14, 2:58 PM, Joe Hildebrand (jhildebr) wrote: > (as individual) > > I think this is a very important issue. I'm worried about the > security impact, and I think we need to give good guidance. > > (as co-chair) > > Who else thinks we need to work on this? > > Can we start with an individual I-D that lays out the problem and > solution? That would allow us to make good decisions about what > the next step would be. Kev, that might be pretty quick for you to > write... > > > > On 2/6/14 3:26 AM, "Kevin Smith" <kevin@kismith.co.uk> wrote: > >> Hi folks, Discussion in the XSF and at the recent XMPP Summit has >> shown that there are widespread issues with handling of iq >> responses in XMPP software. This is probably something we need to >> consider handling. >> >> The basis of this is that many libraries/clients a) Only check >> the id of an iq error/result, not the sender, to check it matches >> one they've sent (Very Wrong) b) Use predictably generated ids >> for stanzas (ill-advised, but not strictly wrong) c) Use known >> resource strings (bad, but not strictly wrong) >> >> In conjunction, this leads to various obvious attacks with >> differing levels of severity, but for the sake of enumerating >> some, with some good fortune with timing against a vulnerable >> client you can: Fake contacts', or even their own, vcards; fake >> their roster so they think people have 'unfriended' them, or that >> they have already added someone unknown; deny capabilities >> discovery; make them think their server doesn't have a MUC >> service; and the list goes on and on. >> >> We certainly need to call this out explicitly in 3920ter, We >> might want to publish something in the interim. >> >> /K _______________________________________________ xmpp mailing >> list xmpp@ietf.org https://www.ietf.org/mailman/listinfo/xmpp >> > > I agree this is an important issue that needs to be addressed. I think someone submitting an I-D is a fine starting point. - -- - - m&m Matt Miller < mamille2@cisco.com > Cisco Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJS9Ak+AAoJEDWi+S0W7cO17IgH/2XbPvHedoSvsOY0L/LEcvu6 cfeDRy7ErMMgp+Evb6UTSCETNm20WYTUEsYGVigUV02HsV5GhJFswtrr+vk5hG3n uF94GmTCRSTTbn0CIbCfgwq5bDJrtRbi0DkpzPP1ZD7t1QZaFjhi39t6XjGc3u9d hkKvG/XS2bB/C+71X9jYEeReEMZdUc/bXgwTCTzD84GVVMIK0QisfJBQw6o6blXI 03FzvSn8qwZiQ3YBhrPNndKflFv0uRU4mOO9N/SYXpJjtMmqu2i6wA1v5rvct3H9 EnoMz03GZ0xxZDo07aBqHjCivAji9AKZ+Dpgw+sBM6H2X8OIdONM0L823qIEuTI= =2sJN -----END PGP SIGNATURE-----
- Re: [xmpp] IQ Handling vulnerabilities Philipp Hancke
- [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Matt Miller
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Ben Campbell
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Waqas Hussain
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Ben Campbell
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Waqas Hussain
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Ashley Ward
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Ashley Ward
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)