IETF Logo Mail Archive

[xmpp] IQ Handling vulnerabilities

Kevin Smith <kevin@kismith.co.uk> Thu, 06 February 2014 11:26 UTC

Return-Path: <k.i.smith@gmail.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72CC41A03A5 for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 03:26:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.621
X-Spam-Level:
X-Spam-Status: No, score=0.621 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vOi2Ua6CXbaf for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 03:26:32 -0800 (PST)
Received: from mail-vb0-x232.google.com (mail-vb0-x232.google.com [IPv6:2607:f8b0:400c:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id CC4541A00E3 for <xmpp@ietf.org>; Thu, 6 Feb 2014 03:26:31 -0800 (PST)
Received: by mail-vb0-f50.google.com with SMTP id w8so1300807vbj.37 for <xmpp@ietf.org>; Thu, 06 Feb 2014 03:26:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:date:message-id:subject:from:to :content-type; bh=UkGs6I1QssOIUh7VuHZjoBsUbmquAVeyZlvIdsLAizQ=; b=S1N+DrUD8VnOgqN5me1sMFjxF6KNquVbZa6Mm/eLhN98qVuTQ9OZriBHEvRoeyb3PR pCR2hY6SW9EmCaHzvMJ4L6CxnWcJI9mWJ2sum88JokwNv1H+6raiO/nAYyjIRn1W1MCg hHf42UFUb3MHcUYkMKflPpBI6OrB/8jKcdy/vrrbkvu7iBqLvYbhGuDOa4FvDbXbdIwj mpuIqqUDzXB4/eJYTSjWmleaJy8drdU1aWbu1ocVLWgp5VQJ1cZL6EjvIUu8oJOzVXAF 51dPubFp8mbX4KnMSeZlyc6zce8R29T+3i5gzIia2+dL3tWU901obSOSpiMvkG9sgIFJ Nsdw==
MIME-Version: 1.0
X-Received: by 10.52.61.168 with SMTP id q8mr50189vdr.40.1391685990586; Thu, 06 Feb 2014 03:26:30 -0800 (PST)
Sender: k.i.smith@gmail.com
Received: by 10.52.245.134 with HTTP; Thu, 6 Feb 2014 03:26:30 -0800 (PST)
Date: Thu, 06 Feb 2014 11:26:30 +0000
X-Google-Sender-Auth: Hp6XHdyUkrJUNCi_uZBpmQE4Qpg
Message-ID: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com>
From: Kevin Smith <kevin@kismith.co.uk>
To: XMPP Working Group <xmpp@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: kevin@kismith.co.uk
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 11:26:33 -0000

Hi folks,
  Discussion in the XSF and at the recent XMPP Summit has shown that
there are widespread issues with handling of iq responses in XMPP
software. This is probably something we need to consider handling.

The basis of this is that many libraries/clients
a) Only check the id of an iq error/result, not the sender, to check
it matches one they've sent (Very Wrong)
b) Use predictably generated ids for stanzas (ill-advised, but not
strictly wrong)
c) Use known resource strings (bad, but not strictly wrong)

In conjunction, this leads to various obvious attacks with differing
levels of severity, but for the sake of enumerating some, with some
good fortune with timing against a vulnerable client you can: Fake
contacts', or even their own, vcards; fake their roster so they think
people have 'unfriended' them, or that they have already added someone
unknown; deny capabilities discovery; make them think their server
doesn't have a MUC service; and the list goes on and on.

We certainly need to call this out explicitly in 3920ter, We might
want to publish something in the interim.

/K

v2.23.0 | Report a Bug | By Email