Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 10 Dec 2016 01:49:34 +0100
From: Mathieu Pasquet <mathieui@...hieui.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: MCabber: remote attackers can modify
 the roster and intercept messages via a crafted roster-push IQ stanza

On Fri, Dec 09, 2016 at 09:19:06PM +0100, Salvatore Bonaccorso wrote:
> Hi
> 
> Sam Whited discovered that MCabber versions 1.0.3 and before, was
> vulnerable to an attack identical to Gajim's CVE-2015-8688 [1] which
> can lead to a malicious actor MITMing a conversation, or adding
> themselves as an entity on a third parties roster (thereby granting
> themselves the associated priviledges such as observing when the user
> is online).
> 
> The issue was fixed in the 1.0.4 release, with patch found at [2].
> 
> Can a CVE be assigned for this issue?
> 
> Regards,
> Salvatore
> 
>  [1] https://gultsch.de/gajim_roster_push_and_message_interception.html
>  [2] https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw

>  [3] https://bugs.debian.org/845258

Hello,

I would like to mention that when Sam mentioned it to the MCabber team,
I investigated the slixmpp [1] codebase to see if we we were equally
vulnerable. It appeared that the default roster mechanism already has a
check in place, but it creates a general event before then, which could
be received by another handler to re-implement a Roster differently
(like we do in poezio [2]).

This specific bug has been corrected in [3] and [4], which are available
in slixmpp 1.2.3 (all previous versions are affected).

I’m not sure if this specific part warrants a CVE, as it is quite a
specific case (but people could send arbitrary roster pushes to poezio
before then), but I thought it would be good to mention. If it is
considered a real security flaw, I have to say that SleekXMPP [5] [6] is
also affected, and I will patch it if needed.

Regards,
Mathieu

 [1] https://github.com/poezio/slixmpp
 [2] https://github.com/poezio/poezio / https://poez.io
 [3] https://git.louiz.org/slixmpp/commit/?id=ffdb6ffd69522bb14760eca196511ac69a158831
 [4] https://git.louiz.org/slixmpp/commit/?id=ffd9436e5cca9f92ed11683173a696972da2360b
 [5] https://github.com/fritzy/SleekXMPP
 [5] https://github.com/fritzy/SleekXMPP/blob/develop/sleekxmpp/clientxmpp.py#L112-L115

-- 
Mathieu Pasquet (mathieui)

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ