[jdev] [Security] Spoofing of iq ids and misbehaving servers

Thijs Alkemade me at thijsalkema.de
Mon Feb 3 20:43:09 UTC 2014


I've filed tickets today for:

XMPPFramework: https://github.com/robbiehanson/XMPPFramework/issues/300
Strophe.js: https://github.com/strophe/strophejs/issues/56
SleekXMPP: https://github.com/fritzy/SleekXMPP/issues/278
Miranda-NG: http://trac.miranda-ng.org/ticket/569

A ticket for SMACK already existed:

http://issues.igniterealtime.org/browse/SMACK-533?jql=project%20%3D%20SMACK

All of these I managed to spoof in one way or another.

Additionally, I found out both XMPPFramework and SMACK do not check the 'from'
on roster pushes. This means that any attacker who knows your resource can, at
any moment, so not just a well-timed 100ms window during login, add new
entries to somebody's roster. That was filed separately for SMACK here:

http://issues.igniterealtime.org/browse/SMACK-538?jql=project%20%3D%20SMACK

Gajim seems to be working properly, all attempts I made did not work (spoofing
vcards, iq:version replies, rosters). InstantBird is still using libpurple
instead of their JS implementation, so investigating that again was not
necessary. I could not get tkabber to run, so I did not test that further.

Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://www.jabber.org/jdev/attachments/20140203/1742a058/attachment.pgp>


More information about the JDev mailing list