An attacker can send an invitation to anyone (or no one), since the recipient will be forwarded to the real server. An attacker can exploit this by sending an invitation to a user who has a preferred server.
SSL Certificate hostname validation is disabled by default in Slixmpp. This makes it possible for an attacker to host an arbitrary domain, and send an invitation to anyone.
Slixmpp Authentication
Slixmpp does not use SSL Certificate hostname validation for authentication. This means that an attacker who sends a malicious invitation to a user on Slixmpp (or in the case of a victim, an attacker who intercepts their message) can impersonate any server and bypass the need for an unauthenticated account.
The following is provided as a mitigation:
- Authenticate users with the HTTP Basic Authentication header.
- Use HTTPS to encrypt communication between servers.
Slixmpp: Case Study
A user found that when they were invited to a chatroom, it was hosted on the attacker's server. This could lead to phishing attacks, where users are tricked into giving sensitive information.
Slixmpp does not have SSL hostname validation by default, which can be abused by attackers who want to make their servers look like legitimate ones.
HTTP Proxy Server
As of now, there is no way to prevent this from happening. However, you can use an HTTP proxy server like Privoxy or ModSecurity and filter the SSL certificate check in incoming connections. This means that any party who gets a connection from the server will be filtered out and won't be able to exploit this vulnerability.
Timeline
Published on: 12/25/2022 05:15:00 UTC
Last modified on: 01/05/2023 13:19:00 UTC
References
- https://github.com/poezio/slixmpp/commits/master/slixmpp/xmlstream/xmlstream.py
- https://github.com/poezio/slixmpp/tags
- https://lab.louiz.org/poezio/slixmpp/-/commits/master
- https://lab.louiz.org/poezio/slixmpp/-/commit/b60b1b985db928532f97c4f61d6fbc801f0aa7fa
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45197