Fwd: Instant disconnect vulnerability

John Bailey rekkanoryo at rekkanoryo.org
Sun Aug 15 10:47:40 EDT 2010


On 08/15/2010 03:27 AM, Mark Doliner wrote:
> I don't think I've been able to reproduce this problem, but maybe I
> don't understand it correctly.
> 
> Cory: So you're saying that if a user sends that character to a chat
> room, then any Pidgin user in the chat room will get disconnected by
> the jabber server?

If the server is stupid and allows passing the invalid characters, yes.  This
means pretty much every openfire server ever to exist.

> Paul: And you're saying that the XMPP server should not allow a client
> to send this character in the first place (it should disconnect the
> client, instead)?  And recent versions of Pidgin don't allow sending
> this character in IMs, but they do still allow sending this character
> in status messages (and that should be changed)?

Yes, per the XMPP RFC, servers MUST disconnect any client (including another
server, if memory serves) that sends an illegal character.  Clients additionally
MUST disconnect when they receive illegal characters.  We should be disallowing
the sending of such illegal characters, but there are a lot of places we'd need
to add input sanitizing.

> I tried typing <ctrl>+<shift>+u, then 013 as my status message and it
> didn't seem to break anything with two accounts signed onto Google
> Talk.  Is this server-dependent?  Am I using the right character
> (ASCII character aka octal 013 aka decimal 11 aka hex 0x0B aka
> "vertical tab")?

Google Talk's servers may sanitize the data sent to them.  If you were to try on
an openfire server you should see the problem when the message is passed to a
conformant client (not necessarily Pidgin; all XMPP clients are supposed to, by
spec, disconnect in the described scenario) that disconnects when receiving
invalid characters.  If you were to try with your pidgin.im XMPP account, the
server *should* disconnect you immediately when you send the message.  Basically
any character from 0x00 through 0x1f (except 0x0a and 0x0d--LF and CR,
respectively) should cause the problem.  Also, as an aside, hex 0x13, which you
entered, is actually DC3 (device control 3), not vertical tab, according to 'man
ascii'. :)

John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20100815/dac546ad/attachment.pgp>


More information about the security mailing list