Multiple XMPP Clients User Impersonation Vulnerability

2017.02.10
Credit: Georg Lukas
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2017-5591
CWE: CWE-346


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Summary ------- An incorrect implementation of XEP-0280: Message Carbons[0] in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. Classification -------------- - CWE-304: Missing Critical Step in Authentication - CWE-940: Improper Verification of Source of a Communication Channel - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N (score 7.1) Affected Applications --------------------- - CVE-2017-5589: yaxim and Bruno (0.8.6 - 0.8.8; Android) - CVE-2017-5590: ChatSecure (3.2.0 - 4.0.0; only iOS) and Zom (all versions up to 1.0.11; only iOS) - CVE-2017-5591: poezio (0.8 - 0.10) - CVE-2017-5592: profanity (0.4.7 - 0.5.0) - CVE-2017-5593: Psi+ (0.16.563.580 - 0.16.571.627) - CVE-2017-5602: jappix (1.0.0 to 1.1.6) - CVE-2017-5603: Jitsi (2.5.5061 - 2.9.5544) - CVE-2017-5604: mcabber (1.0.0 - 1.0.4) - CVE-2017-5605: Movim (0.8 - 0.10) - CVE-2017-5606: Xabber (only if manually enabled: 1.0.30, 1.0.30 VIP, beta 1.0.3 - 1.0.74; Android) - CVE-2017-5858: Converse.js (0.8.0 - 1.0.6, 2.0.0 - 2.0.4) Affected Libraries ------------------ - CVE-2017-5591: SleekXMPP unknown up to 1.3.1 - CVE-2017-5591: Slixmpp all versions up to 1.2.3 Details ------- The XMPP protocol extension "XEP-0280: Message Carbons"[0] allows a user to run multiple clients on their XMPP account by sending "carbon copies" of outgoing and incoming messages to the user's other devices (besides the one that directly sent or received the original message). This feature must be supported by the user's server and must be explicitly enabled by the client. Carbon copies are always generated by the user's server and originate from the user's bare JID (their account address). For example, the following is message "Hi!", sent by Alice (`alice@xmpp.example`) to Bob's client 1 (`bob@xmpp.example/client1`): <message from="alice@xmpp.example" to="bob@xmpp.example/client1"> <body>Hi!</body> </message> Bob is also logged in with carbons-enabled client 2, which receives the following carbon-copy of the message: <message from="bob@xmpp.example" to="bob@xmpp.example/client2"> <received xmlns='urn:xmpp:carbons:2'><forwarded xmlns='urn:xmpp:forward:0'> <message from="alice@xmpp.example" to="bob@xmpp.example/client1"> <body>Hi!</body> </message> </forwarded></received> </message> Now, client 2 can extract the original message from the carbon copy and display it accordingly. The "Security Considerations" section of XEP-0280 explicitly states that: | Any forwarded copies received by a Carbons-enabled client MUST be from | that user's bare JID; any copies that do not meet this requirement | MUST be ignored. The Carbons implementation in the affected clients was lacking this test. It simply checked all incoming messages for presence of a Carbon element (`<received/>` or `<sent/>`), extracted and parsed it like a regular message. Therefore, it was possible for Mallory to send the following specially crafted message to Bob: <message from="mallory@evil.example" to="b@xmpp.example"> <received xmlns='urn:xmpp:carbons:2'><forwarded xmlns='urn:xmpp:forward:0'> <message from="alice@xmpp.example" to="bob@xmpp.example/client1"> <body>Please come to Creepy Valley tonight, alone!</body> </message> </forwarded></received> </message> This would appear as an authentic message from Alice, including Alice' proper screen name, allowing Mallory to perform social engineering attacks on Bob. Mitigation ---------- While the attacker can send messages in the name of somebody else, they can not see your responses. Therefore, if you receive a phony message while using an affected client, reinsure with the message sender by either challenging them with a question that can not be guessed by the attacker, or by using out-of-band means. Xabber: disable the experimental Carbons feature in the app settings. yaxim: Disabling Message Carbons under "Settings" / "Edit account" / "Message Carbons (XEP-0280)" will not solve the problem, as the malicious messages still will be interpreted. Timeline -------- - 2017-01-20 Discovery of vulnerability - 2017-01-23 - 26 Notification of developers - 2017-01-25 Release of ChatSecure 4.0.1 fix commit: https://github.com/ChatSecure/ChatSecure-iOS/commit/a340b4bb519227d89f85f2716a10a197a65d4856 - 2017-01-26 Release of jappix 1.1.7 fix commit: https://github.com/jappix/jappix/commit/ea6de7c65b80880bdf85df47c1a8a5d3d68491af - 2017-01-28 Release of Psi+ 0.16.571.630 fix commit: https://github.com/psi-im/iris/pull/47/commits/02e976d4426a1319a7af7d26d7aba9d8c6077570 - 2017-01-29 Release of profanity 0.5.1 fix commit: https://github.com/boothj5/profanity/commit/8e75437a7e43d4c55e861691f74892e666e29b0b - 2017-01-29 Release of mcabber 1.0.5 fix commit: https://mcabber.com/hg/rev/2a9569fd7644 - 2017-01-30 Release of poezio 0.11 with slixmpp 1.2.4 slixmpp fix commit: https://github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160ad8 - 2017-01-31 Release of yaxim and Bruno 0.9.0 fix commit: https://github.com/ge0rg/yaxim/commit/65a38dc77545d9568732189e86089390f0ceaf9f - 2017-01-31 Release of Movim 0.11alpha1 fix commit: https://github.com/movim/moxl/commit/838b0a42efc3b67cc17d63e25ae1d0ea849cd89b - 2017-01-31 Notification of Debian Security Team - 2017-02-01 Release of profanity 0.4.7.patch1 and 0.5.0.patch1 (backports of the fix) - 2017-02-01 Release of Converse.js 1.07 and 2.05 fix commit: https://github.com/jcbrand/converse.js/commit/42f249cabbbf5c026398e6d3b350f6f9536ea572 - 2017-02-05 Release of Jitsi 2.10 fix commit: https://github.com/jitsi/jitsi/commit/7d66da61b316c9480b63000f831b6de723b87315 - 2017-02-08 Release of Zom 1.0.12 fix commit: https://github.com/zom/Zom-iOS/commit/880051eaa8ba32d1b257c87a7d8798a93561bfd3 - 2017-02-09 Publication of this advisory Acknowledgements ---------------- - Daniel Gultsch for CVE-2015-8688: Gajim Roster Push Attack / Message Interception[1] - Sam Whited for CVE-2016-9928 (same as above in mcabber)[2] - Thijs Alkemade for being an awesome XMPP security researcher (and for proof-reading this)[3] Links ----- [0] https://xmpp.org/extensions/xep-0280.html [1] https://gultsch.de/gajim_roster_push_and_message_interception.html [2] http://www.openwall.com/lists/oss-security/2016/12/09/5 [3] https://blog.thijsalkema.de/ HTML version of advisory: https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/ PDF version of advisory: https://rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdf -- Dr.-Ing. Georg Lukas rt-solutions.de GmbH Oberländer Ufer 190a D-50968 Köln Tel. : (+49)221 93724 16 Fax : (+49)221 93724 50 Mobil: (+49)179 4176591 Web : www.rt-solutions.de rt-solutions.de experts you can trust.

References:

https://rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top