Академический Документы
Профессиональный Документы
Культура Документы
. .
iSEC Partners
Defcon 17
Defcon 17
1 / 32
Introduction
Outline
Outline
1. . . Introduction The basics Common Stanzas .. . 2 The victims Clients Servers .. . 3 Attack scenarios DoS, DoS, and more DoS XML Parsing File/Image Upload .. . 4 Tools Persimmon Proxy XMPP Fuzzer .. . 5 Conclusion
. . . . . .
Defcon 17
2 / 32
Introduction
Who am I?
Who am I?
Security Consultant, iSEC Partners Prior to that, QA automation for various web 2.0 horrors Eats babies
Defcon 17
3 / 32
Introduction
The basics
What is XMPP?
Defcon 17
4 / 32
Introduction
The basics
Defcon 17
5 / 32
Introduction
The basics
How it works
Decentralized
Addressing via JIDs of the format user@server
Defcon 17
6 / 32
Introduction
The basics
Common Attributes
type
Specifies purpose of the stanza Each stanza variety has its own list of acceptable types
xml:lang
Only affects presentation to humans
Defcon 17
7 / 32
Introduction
Common Stanzas
Info/Query
Request info/receive response Child element determines data content Requester tracks by id Patterned exchange
< i q t y p e = r e s u l t i d = p u r p l e c e 8 3 7 c f a to = a k l p c 1 / a c c 4 5 8 8 7 >< bind xmlns = u r n : i e t f : p a r a m s : x m l : n s : x m p p bind >< j i d > t e s t 2 @ a k l p c 1 / a c c 4 5 8 8 7 < / j i d >< / bind >< / i q >
Defcon 17
8 / 32
Introduction
Common Stanzas
Presence
Publish/subscribe Many receive updates from one - to usually omitted Seen most frequently in IM applications as contact status updates
< p r e s e n c e from = t e s t 2 @ a k l p c 1 / a c c 4 5 8 8 7 to = a v a r i c e @ g m a i l . com > <show>away < / show> < p r i o r i t y >0< / p r i o r i t y > <c xmlns = h t t p : / / j a b b e r . o r g / p r o t o c o l / c a p s node = h t t p : / / m a i l . g o o g l e . com / xmpp / c l i e n t / c a p s v e r = 1 . 1 e x t = pmucv 1 smsv 1 / > <status /> <x xmlns = v c a r d t e m p : x : u p d a t e > < photo / > < / x> < / presence >
Defcon 17
9 / 32
Introduction
Common Stanzas
Message
Fairly self-explanatory concept so long as youve ever, say, used email.
< message t y p e = c h a t i d = p u r p l e c e 8 3 7 d 8 3 to = t e s t 1 @ a k l p c 1 / f 9 e 5 4 d from = t e s t 2 @ a k l p c 1 / acc45887 > <x xmlns = j a b b e r : x : e v e n t > < composing / > < / x> < a c t i v e xmlns = h t t p : / / j a b b e r . o r g / p r o t o c o l / c h a t s t a t e s / > <body > ?OTR:AAIDAAAAAAEAAAABAAAAwEgF/ 9 5 + kxlcd8Z7I3jdNZtw8d8baZIg5uq0FV3JymhEXf5qJV / 6 P46yjwABFt4UmUqN8BwK7WnWGHlcxsrAvN / FJ4oxS0wLYcKRzI / eZ0edIFyhlyZBT17Ou1V2 +67 nnczJOGRq+ A6wjz0ayoT1iRm1Dx1ZFLvKfRT3uiwbi8AfNG7uCtQAolGKBBp2h7RBVR95NfOrfx8G5Oh6BacdhslcssY0kC3Lwmo29rNOn /GVX+9CY0phs8kT+ O5cLedhjI8y / +udYAAAAA. < / body > < html xmlns = h t t p : / / j a b b e r . o r g / p r o t o c o l / xhtmlim > <body xmlns = h t t p : / / www . w3 . o r g / 1 9 9 9 / xhtml > ?OTR:AAIDAAAAAAEAAAABAAAAwEgF/ 9 5 + kxlcd8Z7I3jdNZtw8d8baZIg5uq0FV3JymhEXf5qJV / 6 P46yjwABFt4UmUqN8BwK7WnWGHlcxsrAvN / FJ4oxS0wLYcKRzI / eZ0edIFyhlyZBT17Ou1V2 +67 nnczJOGRq+ A6wjz0ayoT1iRm1Dx1ZFLvKfRT3uiwbi8AfNG7uCtQAolGKBBp2h7RBVR95NfOrfx8G5Oh6BacdhslcssY0kC3Lwmo29rNOn /GVX+9CY0phs8kT+ O5cLedhjI8y / +udYAAAAA. < / body > < / html > < / message >
Defcon 17
10 / 32
The victims
Clients
Pidgin
The IM client formerly known as Gaim Needed something based on libpurple Obvious choice with 3 Million users ...especially since its my default File transfers XMPP console http://www.pidgin.im/
Defcon 17
11 / 32
The victims
Clients
Spark
Defcon 17
12 / 32
The victims
Clients
Gajim
Defcon 17
13 / 32
The victims
Clients
Gtalk
Skynet Googles pet XMPP project Jingle Mobile versions Offline Messaging http://www.google.com/talk/
Defcon 17
14 / 32
The victims
Servers
Openfire
Formerly known as Wildfire Popular on corporate networks User-friendly, easy to configure Admin web interface http://www.igniterealtime.org/projects/openfire/
Defcon 17
15 / 32
The victims
Servers
JabberD14
Modular, certain features can be installed independently Written in C/C++ Complex configuration requires messing directly with XML Waning in popularity http://jabberd.org/
Defcon 17
16 / 32
The victims
Servers
JabberD2
Different codebase from JabberD14 Appear to have kept the project name just to be confusing Main distinction seems to be that theyre compliant with more RFCs than the original http://codex.xiaoka.com/wiki/jabberd2:start
Defcon 17
17 / 32
Attack scenarios
DoS
Excessive presence traffic makes for high overhead Endemic scalability issues in XMPP Parser errors tend to be ungraceful
Defcon 17
18 / 32
Attack scenarios
DoS Demo
Defcon 17
19 / 32
Attack scenarios
XML Parsing
XML Parsing
Defcon 17
20 / 32
Attack scenarios
XML Parsing
Defcon 17
21 / 32
Attack scenarios
File/Image Upload
File/Image Upload
No restrictions on file type Relatively new to most feature sets Image insertion
Defcon 17
22 / 32
Attack scenarios
File/Image Upload
Defcon 17
23 / 32
Tools
Persimmon Proxy
Features
HTTP and XMPP Intercept mode Manual edit Command replay Multiple concurrent listeners
Defcon 17
24 / 32
Tools
Persimmon Proxy
Defcon 17
25 / 32
Tools
Persimmon Proxy
Download
Defcon 17
26 / 32
Tools
XMPP Fuzzer
Features
Defcon 17
27 / 32
Tools
XMPP Fuzzer
Defcon 17
28 / 32
Tools
XMPP Fuzzer
Download
Defcon 17
29 / 32
Conclusion
Summary
Summary
XMPP bugs are still out there Here are some tools to help make that more obvious
Defcon 17
30 / 32
Conclusion
Resources
Resources
XMPP Foundation
http://xmpp.org/
XMPP: The Definitive Guide: Building Real-Time Applications with Jabber Technologies
Peter Saint-Andre, Kevin Smith, Remko Tron on 2009
Defcon 17
31 / 32
Conclusion
Questions
Questions?
https://www.isecpartners.com
Defcon 17
32 / 32