[jdev] [Security] Spoofing of iq ids and misbehaving servers

[Thijs Alkemade]

To see which clients are vulnerable, I spent some time looking over the source
code of various libraries and clients. For most of these it was the first time
I've looked at the source (or even that programming language), so I may have
overlooked something.

Every single one of them had a way to send an iq and registering a callback
to be called when a reply comes in. Most of these set the id of the iqs only
when the id wasn't set yet, the id generation I mention here therefore only
covers this automatic generation - they can be overridden.

There could also be some 'from' checking in the callback itself, not in the
code that calls it, I have not looked into that.


These use an incrementing counter to generate ids, starting from 0. This means
that, for example, roster retrieval always gets the same id and could be
spoofed by a fast enough attacker:

* Gajim (python-nbxmpp)
* Strophe
* Miranda
* InstantBird

Some randomness, but observing one value makes it possible to predict further
values:

* sleekxmpp: fixed UUID per session, concatenated with an incrementing counter
  starting from 0

* yaxim, ChatSecure Android and others (SMACK): random 5 characters(?) per
  session, concatenated with an incrementing counter

These seem to actually be sufficiently unpredictable between different iqs:

* ChatSecure iOS (XMPPFramework): UUID
* tkabber: incrementing counter, concatenated with 6 random decimal digits

Only two clients I've looked at verify that the 'from' actually matches the
'to' the iq was sent to:

* Pidgin (libpurple): incrementing counter starting from a random value
* Swift: UUID

Thijs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://www.jabber.org/jdev/attachments/20140131/778c3b7d/attachment.pgp>