[xmpp] IQ Handling vulnerabilities
Kevin Smith <kevin@kismith.co.uk> Thu, 06 February 2014 11:26 UTC
Return-Path: <k.i.smith@gmail.com>
X-Original-To: xmpp@ietfa.amsl.com
Delivered-To: xmpp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72CC41A03A5 for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 03:26:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.621
X-Spam-Level:
X-Spam-Status: No, score=0.621 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vOi2Ua6CXbaf for <xmpp@ietfa.amsl.com>; Thu, 6 Feb 2014 03:26:32 -0800 (PST)
Received: from mail-vb0-x232.google.com (mail-vb0-x232.google.com [IPv6:2607:f8b0:400c:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id CC4541A00E3 for <xmpp@ietf.org>; Thu, 6 Feb 2014 03:26:31 -0800 (PST)
Received: by mail-vb0-f50.google.com with SMTP id w8so1300807vbj.37 for <xmpp@ietf.org>; Thu, 06 Feb 2014 03:26:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:date:message-id:subject:from:to :content-type; bh=UkGs6I1QssOIUh7VuHZjoBsUbmquAVeyZlvIdsLAizQ=; b=S1N+DrUD8VnOgqN5me1sMFjxF6KNquVbZa6Mm/eLhN98qVuTQ9OZriBHEvRoeyb3PR pCR2hY6SW9EmCaHzvMJ4L6CxnWcJI9mWJ2sum88JokwNv1H+6raiO/nAYyjIRn1W1MCg hHf42UFUb3MHcUYkMKflPpBI6OrB/8jKcdy/vrrbkvu7iBqLvYbhGuDOa4FvDbXbdIwj mpuIqqUDzXB4/eJYTSjWmleaJy8drdU1aWbu1ocVLWgp5VQJ1cZL6EjvIUu8oJOzVXAF 51dPubFp8mbX4KnMSeZlyc6zce8R29T+3i5gzIia2+dL3tWU901obSOSpiMvkG9sgIFJ Nsdw==
MIME-Version: 1.0
X-Received: by 10.52.61.168 with SMTP id q8mr50189vdr.40.1391685990586; Thu, 06 Feb 2014 03:26:30 -0800 (PST)
Sender: k.i.smith@gmail.com
Received: by 10.52.245.134 with HTTP; Thu, 6 Feb 2014 03:26:30 -0800 (PST)
Date: Thu, 06 Feb 2014 11:26:30 +0000
X-Google-Sender-Auth: Hp6XHdyUkrJUNCi_uZBpmQE4Qpg
Message-ID: <CAOb_FnxS-dMT85N7LHj5M9JWk3pL85=ugrDqaT7j5d28HBr0Cw@mail.gmail.com>
From: Kevin Smith <kevin@kismith.co.uk>
To: XMPP Working Group <xmpp@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: [xmpp] IQ Handling vulnerabilities
X-BeenThere: xmpp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: kevin@kismith.co.uk
List-Id: XMPP Working Group <xmpp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/xmpp>, <mailto:xmpp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/xmpp/>
List-Post: <mailto:xmpp@ietf.org>
List-Help: <mailto:xmpp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/xmpp>, <mailto:xmpp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 11:26:33 -0000
Hi folks, Discussion in the XSF and at the recent XMPP Summit has shown that there are widespread issues with handling of iq responses in XMPP software. This is probably something we need to consider handling. The basis of this is that many libraries/clients a) Only check the id of an iq error/result, not the sender, to check it matches one they've sent (Very Wrong) b) Use predictably generated ids for stanzas (ill-advised, but not strictly wrong) c) Use known resource strings (bad, but not strictly wrong) In conjunction, this leads to various obvious attacks with differing levels of severity, but for the sake of enumerating some, with some good fortune with timing against a vulnerable client you can: Fake contacts', or even their own, vcards; fake their roster so they think people have 'unfriended' them, or that they have already added someone unknown; deny capabilities discovery; make them think their server doesn't have a MUC service; and the list goes on and on. We certainly need to call this out explicitly in 3920ter, We might want to publish something in the interim. /K
- Re: [xmpp] IQ Handling vulnerabilities Philipp Hancke
- [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Matt Miller
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Ben Campbell
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Waqas Hussain
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Ben Campbell
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Waqas Hussain
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Kevin Smith
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Ashley Ward
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Ashley Ward
- Re: [xmpp] IQ Handling vulnerabilities Peter Saint-Andre
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Thijs Alkemade
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Dave Cridland
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Alexander Holler
- Re: [xmpp] IQ Handling vulnerabilities Joe Hildebrand (jhildebr)