defcon 17 ava latrope excersise in messaging
TRANSCRIPT
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 1/32
. . . . . .
.
.
. .
.
.eXercise In Messaging and Presence Pwnage
fun with XMPP
Ava Latrope
iSEC Partners
Defcon 17
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 1 / 32
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 2/32
. . . . . .
Introduction Outline
Outline
.. .1 Introduction
The basicsCommon Stanzas
.. .2 The victims
Clients
Servers.
. .3 Attack scenariosDoS, DoS, and more DoSXML ParsingFile/Image Upload
.. .4 ToolsPersimmon Proxy XMPP Fuzzer
.. .5 Conclusion
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 2 / 32
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 3/32
. . . . . .
Introduction Who am I?
Who am I?
Security Consultant, iSEC Partners
Prior to that, QA automation for various web 2.0 horrors
Eats babies
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 3 / 32
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 4/32
. . . . . .
Introduction The basics
What is XMPP?
eXtensible Messaging and Presence Protocol
Formerly the Jabber project
Specialized XML-based protocols, used for:
content syndicationfile sharing...but, well, still mostly IM.
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 4 / 32
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 5/32
I t d ti Th b i
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 6/32
. . . . . .
Introduction The basics
How it works
Decentralized
Addressing via JIDs of the format user@server
TLS encryption and SASL authentication
HTTP binding
XML stream
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 6 / 32
Introduction The basics
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 7/32
. . . . . .
Introduction The basics
Common Attributes
to - recipient JID
from - sender JID
id
OptionalGenerated for tracking purposesScope of uniqueness is flexible
type
Specifies purpose of the stanza
Each stanza variety has its own list of acceptable types xml:lang
Only affects presentation to humans
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 7 / 32
Introduction Common Stanzas
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 8/32
. . . . . .
Introduction Common Stanzas
Info/Query
Request info/receive response
Child element determines data content
Requester tracks by id
Patterned exchange
< i q t yp e = ” r e s u l t ” i d = ” p u r p l e c e 8 3 7 c f a ” to = ” akl−pc1 / acc4 588 7 ” > < b in d x m ln s = ”u r n : i e t f : p a r a m s : x m l : n s : x m p p−b i n d ” > < j i d > t e s t 2 @ a k l−p c 1 / a c c 4 5 8 8 7 < / j i d > < / b in d > < / i q >
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 8 / 32
Introduction Common Stanzas
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 9/32
. . . . . .
Introduction Common Stanzas
Presence
Publish/subscribe
Many receive updates from one - ’to’ usually omitted
Seen most frequently in IM applications as contact status updates
< p r e s e n c e f ro m = ’ t e s t 2 @ a k l−pc1 / acc4 588 7 ’ to = ’ ava ric e@g mai l .com ’ ><show>away</show>< p r i o r i t y >0< / p r i o r i t y >< c x m ln s = ’ h t t p : / / ja b b e r . o r g / p r o t o c o l / c a p s ’ node= ’ ht tp : / / mail . goog le .com/ xmpp/ c l i e n t /
c a p s ’ v e r = ’ 1 . 1 ’ e x t = ’pmuc− v1 sms− v1 ’ / >< s t a t u s / >< x x m ln s = ’ vcar d−t e m p : x : u p d a t e ’ ><photo / >
< / x>< / p r e s e n c e >
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 9 / 32
Introduction Common Stanzas
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 10/32
. . . . . .
Introduction Common Stanzas
Message
Fairly self-explanatory concept so long as you’ve ever, say, used email.
< m e s sa g e t y p e = ’ cha t ’ i d = ’ p u r p l e c e 8 3 7 d 8 3 ’ to = ’ t e s t 1 @ a k l−pc1 / f9e54 d ’ from= ’ t e s t 2 @ a k l−pc1 / a c c 4 5 8 8 7 ’ >
< x x m ln s = ’ j a b b e r : x : e v e n t ’ ><composing / >< / x>
< a c t i v e x mln s = ’ h t t p : / / j a b b e r . o r g / p r o t o c o l / c h a t s t a t e s ’ / ><b ody > ?OTR:AAIDAAAAAAEAAAABAAAAwEgF/ 9 5 + kx lc d8 Z7I 3jdN Zt w8 d8 ba ZI g5 uq 0F V3 Jym hE Xf 5q JV / 6
P46yjwABFt4UmUqN8BwK7WnWGHlcxsrAvN/ FJ4oxS0wLYcKRzI / eZ 0e dIFy hlyZBT17Ou1V2 +67 nnczJOGRq+A6wjz0ayoT1iRm1Dx1ZFLvKfRT3uiwbi8AfNG7uCtQAolGKBBp2h7RBVR95NfOrfx8G5Oh6BacdhslcssY0kC3Lwmo29rNO/GVX+9 CY0phs8kT+ O5 cL ed hj I 8y / +udYAAAAA. < / body >
< h t ml xm l ns = ’ ht tp : / / ja bb er . org / prot oco l / xhtml−im ’ >< b od y xm l ns = ’ htt p: / /www. w3. org /19 99 / xhtml ’ > ?OTR:AAIDAAAAAAEAAAABAAAAwEgF/ 9 5 +
kx lc d8 Z7I 3j dN Zt w8 d8 ba ZI g5 uq0 FV 3J ym hE Xf 5q JV / 6 P46yjwABFt4UmUqN8BwK7WnWGHlcxsrAvN/ FJ4oxS0wLYcKRzI / eZ0ed IFyhl yZBT17 Ou1V2 +6 7nnczJOGRq+
A6wjz0ayoT1iRm1Dx1ZFLvKfRT3uiwbi8AfNG7uCtQAolGKBBp2h7RBVR95NfOrfx8G5Oh6BacdhslcssY0kC3Lwmo29rNO/GVX+9 CY0phs8kT+ O5 cL ed hj I 8y / +udYAAAAA. < / body >
< / html>< / m e s sa g e >
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 10 / 32
The victims Clients
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 11/32
. . . . . .
Pidgin
The IM client formerly known as GaimNeeded something based on libpurpleObvious choice with 3 Million users
...especially since it’s my defaultFile transfersXMPP console
http://www.pidgin.im/
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 11 / 32
The victims Clients
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 12/32
. . . . . .
Spark
Complement to openfire serverVoice integrationRepresentative of no-frills clients
http://www.igniterealtime.org/projects/spark/index.jsp
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 12 / 32
The victims Clients
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 13/32
. . . . . .
Gajim
GTK+File transferMulti-protocol transports
http://www.gajim.org/
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 13 / 32
The victims Clients
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 14/32
. . . . . .
Gtalk
Skynet Google’s pet XMPP project Jingle
Mobile versionsOffline Messaging
http://www.google.com/talk/
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 14 / 32
The victims Servers
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 15/32
. . . . . .
Openfire
Formerly known as Wildfire
Popular on corporate networks
User-friendly, easy to configure
Admin web interface
http://www.igniterealtime.org/projects/openfire/
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 15 / 32
The victims Servers
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 16/32
. . . . . .
JabberD14
Modular, certain features can be installed independently
Written in C/C++
Complex configuration requires messing directly with XML
Waning in popularity
http://jabberd.org/
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 16 / 32
The victims Servers
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 17/32
. . . . . .
JabberD2
Different codebase from JabberD14
Appear to have kept the project name just to be confusing
Main distinction seems to be that they’re compliant with more RFCsthan the original
http://codex.xiaoka.com/wiki/jabberd2:start
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 17 / 32
Attack scenarios DoS, DoS, and more DoS
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 18/32
. . . . . .
DoS
Excessive presence traffic makes for high overhead
Endemic scalability issues in XMPP
Parser errors tend to be ungraceful
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 18 / 32
Attack scenarios DoS, DoS, and more DoS
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 19/32
. . . . . .
DoS Demo
[DoS demo goes here]
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 19 / 32
Attack scenarios XML Parsing
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 20/32
. . . . . .
XML Parsing
Stanza-specific requirements
Control characters
Affects on DoS
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 20 / 32
Attack scenarios XML Parsing
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 21/32
. . . . . .
XML Parsing Demo
[XML parsing demo goes here]
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 21 / 32
Attack scenarios File/Image Upload
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 22/32
. . . . . .
File/Image Upload
No restrictions on file type
Relatively new to most feature sets
Image insertion
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 22 / 32
Attack scenarios File/Image Upload
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 23/32
. . . . . .
File/image Upload Demo
[File/image upload demo goes here]
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 23 / 32
Tools Persimmon Proxy
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 24/32
. . . . . .
Features
HTTP and XMPP
Intercept mode
Manual edit
Command replay
Multiple concurrent listeners
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 24 / 32
Tools Persimmon Proxy
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 25/32
. . . . . .
Persimmon Proxy Demo
[Persimmon Proxy demo goes here]
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 25 / 32
Tools Persimmon Proxy
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 26/32
. . . . . .
Download
[Download information goes here]
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 26 / 32
Tools XMPP Fuzzer
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 27/32
. . . . . .
Features
Contains all attacks presented here
GUI interface
Customization of attacks
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 27 / 32
Tools XMPP Fuzzer
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 28/32
. . . . . .
XMPP Fuzzer Demo
[XMPP Fuzzer demo goes here]
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 28 / 32
Tools XMPP Fuzzer
D l d
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 29/32
. . . . . .
Download
[Download information goes here]
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 29 / 32
Conclusion Summary
S
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 30/32
. . . . . .
Summary
XMPP bugs are still out thereHere are some tools to help make that more obvious
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 30 / 32
Conclusion Resources
R
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 31/32
. . . . . .
Resources
XMPP Foundation
http://xmpp.org/
XMPP: The Definitive Guide: Building Real-Time Applications
with Jabber TechnologiesPeter Saint-Andre, Kevin Smith, Remko Tronon2009
Programming Jabber: Extending XML Messaging
DJ Adams
2002
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 31 / 32
Conclusion Questions
8/6/2019 Defcon 17 Ava Latrope Excersise in Messaging
http://slidepdf.com/reader/full/defcon-17-ava-latrope-excersise-in-messaging 32/32
. . . . . .
Questions?https://www.isecpartners.com
Ava Latrope (iSEC Partners) eXercise In Messaging and Presence Pwnage Defcon 17 32 / 32