[jdev] Security-related thought experiment

[Pedro Melo]

Hi,

On Mar 25, 2006, at 6:32 AM, Robert B Quattlebaum, Jr. wrote:

> I was thinking the other day about a specific type of denial-of- 
> service attack which may possibly affect a number of servers in  
> active use today.
>
> Imagine a c2s connection that has already been set up and is now  
> moving top-level stanzas. What would happen if I sent
>
> <message to="randomjid at jabber.org"><body>
>
> Followed by a stream of random UTF-8 characters? Assuming that  
> those random characters do not happen to contain <, >, or &, (which  
> is pretty easy to ensure), I would imagine that the process which  
> has the XML parser would get larger and larger until the process  
> would run out of memory. Boom.
>
> This attack (in spirit) doesn't require a fully established jabber  
> stream, it only needs an opportunity to inject a large amount of  
> data into an XML element that is inside of a top-level stanza. This  
> attack could possibly work for attributes as well.
>
> Limiting the size of a single stanza may or may not fix the  
> problem, depending on implementation. If the stanza size filter is  
> applied to the stanza after it has been parsed, then this isn't  
> good enough--the attack will still be successful because the stanza  
> will never finish parsing. However, if the parser kept track of how  
> large the stanza was getting as it was parsing it, then this attack  
> can be avoided.
>
> Any thoughts, or other methods of preventing this attack from being  
> successful? Or has this already been considered and "fixed"?

Another variant:

open a tcp connection to an jabber server, and send a  
<streeeeeeeeeam> stanza, making sure you use a lot of 'e's.

Unless your XML parser has DoS detection and prevention, like over-x- 
bytes node names, attributes, value and data, you are vulnerable to  
these.

Best regards,
--
HIId: Pedro Melo
SMTP: melo at co.sapo.pt
XMPP: pedro.melo at sapo.pt