XMPP issue possibly needing a CVE

Paul Aurich paul at darkrain42.org
Sat Aug 22 23:57:18 EDT 2009

Based on conversation with someone in #pidgin, I think #8131 [1] might
qualify for a CVE. What do others think?

In a nutshell, the issue is that when connecting to older servers (at least
jabberd14, possibly others) on port 5222 (which uses STARTTLS to upgrade a
connection to SSL, as opposed to starting SSL immediately upon opening the
TCP connection), even if the user has checked "Require SSL/TLS", this is
not enforced and it's possible the connection will continue without SSL
with no warning to the user.

I've thought about this some more and it seems like, if a malicious entity
is able to inject packets into the connection, they can munge the server's
responses at the beginning of the connection [2] (removing the offer of
STARTTLS) and then they'll be able to monitor all of a user's conversations
and the user would be none-the-wiser. The user's password would *not* be
transmitted in the clear unless thecd user accepts a prompt "<server>
requires plaintext authentication over an unencrypted connection.  Allow
this and continue authentication?"

This is fixed in libpurple 2.6.0 and this patch [3] should apply fine to
older versions of Pidgin, though "!jabber_stream_is_ssl(js)" needs to be
changed to "js->gsc == NULL".

[1] http://developer.pidgin.im/ticket/8131
[2] Typically the initial connection looks like this (slightly cleaned up):

    C: <stream:stream to='gmail.com'>
    S: <stream:stream from='gmail.com'>
    C: ...proceeds to start SSL.

Older servers don't always send the "<stream:features/>" stanza (especially
if SSL is not enabled on the server), in which case libpurple falls back to
'old style' authentication. However, when it does so, there is no check
that the connection is encrypted if the user requested it be mandatory.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20090822/801d0482/attachment.pgp>

More information about the Packagers mailing list