To see which clients are vulnerable, I spent some time looking over the source code of various libraries and clients. For most of these it was the first time I've looked at the source (or even that programming language), so I may have overlooked something.
Every single one of them had a way to send an iq and registering a callback to be called when a reply comes in. Most of these set the id of the iqs only when the id wasn't set yet, the id generation I mention here therefore only covers this automatic generation - they can be overridden. There could also be some 'from' checking in the callback itself, not in the code that calls it, I have not looked into that. These use an incrementing counter to generate ids, starting from 0. This means that, for example, roster retrieval always gets the same id and could be spoofed by a fast enough attacker: * Gajim (python-nbxmpp) * Strophe * Miranda * InstantBird Some randomness, but observing one value makes it possible to predict further values: * sleekxmpp: fixed UUID per session, concatenated with an incrementing counter starting from 0 * yaxim, ChatSecure Android and others (SMACK): random 5 characters(?) per session, concatenated with an incrementing counter These seem to actually be sufficiently unpredictable between different iqs: * ChatSecure iOS (XMPPFramework): UUID * tkabber: incrementing counter, concatenated with 6 random decimal digits Only two clients I've looked at verify that the 'from' actually matches the 'to' the iq was sent to: * Pidgin (libpurple): incrementing counter starting from a random value * Swift: UUID Thijs
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
