oss-sec mailing list archives
Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza
From: Mathieu Pasquet <mathieui () mathieui net>
Date: Sat, 10 Dec 2016 01:49:34 +0100
On Fri, Dec 09, 2016 at 09:19:06PM +0100, Salvatore Bonaccorso wrote:
Hi Sam Whited discovered that MCabber versions 1.0.3 and before, was vulnerable to an attack identical to Gajim's CVE-2015-8688 [1] which can lead to a malicious actor MITMing a conversation, or adding themselves as an entity on a third parties roster (thereby granting themselves the associated priviledges such as observing when the user is online). The issue was fixed in the 1.0.4 release, with patch found at [2]. Can a CVE be assigned for this issue? Regards, Salvatore [1] https://gultsch.de/gajim_roster_push_and_message_interception.html [2] https://bitbucket.org/McKael/mcabber-crew/commits/6e1ead98930d7dd0a520ad17c720ae4908429033/raw
[3] https://bugs.debian.org/845258
Hello, I would like to mention that when Sam mentioned it to the MCabber team, I investigated the slixmpp [1] codebase to see if we we were equally vulnerable. It appeared that the default roster mechanism already has a check in place, but it creates a general event before then, which could be received by another handler to re-implement a Roster differently (like we do in poezio [2]). This specific bug has been corrected in [3] and [4], which are available in slixmpp 1.2.3 (all previous versions are affected). I’m not sure if this specific part warrants a CVE, as it is quite a specific case (but people could send arbitrary roster pushes to poezio before then), but I thought it would be good to mention. If it is considered a real security flaw, I have to say that SleekXMPP [5] [6] is also affected, and I will patch it if needed. Regards, Mathieu [1] https://github.com/poezio/slixmpp [2] https://github.com/poezio/poezio / https://poez.io [3] https://git.louiz.org/slixmpp/commit/?id=ffdb6ffd69522bb14760eca196511ac69a158831 [4] https://git.louiz.org/slixmpp/commit/?id=ffd9436e5cca9f92ed11683173a696972da2360b [5] https://github.com/fritzy/SleekXMPP [5] https://github.com/fritzy/SleekXMPP/blob/develop/sleekxmpp/clientxmpp.py#L112-L115 -- Mathieu Pasquet (mathieui)
Attachment:
signature.asc
Description:
Current thread:
- CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Salvatore Bonaccorso (Dec 09)
- Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Mathieu Pasquet (Dec 09)
- Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza cve-assign (Dec 11)
- Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Sam Whited (Dec 12)
- Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Sam Whited (Dec 12)
- Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Salvatore Bonaccorso (Dec 14)
- Re: Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Sam Whited (Dec 12)
- Re: CVE Request: MCabber: remote attackers can modify the roster and intercept messages via a crafted roster-push IQ stanza Salvatore Bonaccorso (Dec 12)