mechanism - SOURCE Conference

advertisement
Unified Communications
Information Loss Through the Front Door
This Federation Thing
Federation is an Old Story
• Bob wants to send Alice a message, but he only knows her email address
• Bob doesn’t have any details about Alice’s mail server or who delivers his message
• How does Bob find the path to Alice?
MX: Gluing Email Together
• DNS provides the answer; MX records bind domains together
• The two domains can find each other and exchange messages without previously
knowing anything about the other party
• This is federation
• The two domains may authenticate one another
• Each domain trusts the other to authenticate and identify their own user
Non-authoritative answer:
yahoo.com
MX preference = 1, mail exchanger = mta5.am0.yahoodns.net
yahoo.com
MX preference = 1, mail exchanger = mta6.am0.yahoodns.net
yahoo.com
MX preference = 1, mail exchanger = mta7.am0.yahoodns.net
The Many Names of IM
• Instant messaging has failed at this for many years
• Multiple networks, multiple protocols, multiple user identities
• Instant messaging vendors want to own your attention
IM Federation
• Instant messaging is finally catching up to email
• You can have a single identity and still chat with all of your friends. That’s IM
federation
• Instead of one protocol per network you now have SIP
• Or more importantly, you have XMPP
XMPP
A brief and biased primer
What is XMPP?
• The Extensible Messaging and Presence Protocol
• A layer 7 transport to build flexible protocols
• Bound to other transports including TCP and HTTP
• A structured XML document built over time where each element creates another
protocol element
• 3 main building blocks that are called stanzas
<message>
• The building block of Instant Messages in XMPP
• A message has a body
• It can also have more
• A subject
• A thread
<message type="chat" from="bob@gmail.com/Psi+" to="alice@yahoo.com" id="aadaa">
<body>a simple IM message</body>
</message>
<message>
• A message can get very complicated
• It can support multiple languages, threading references, XHTML formating…
• Values can be UNICODE because the XML character encoding should be UTF-8
<message type="chat" from="bob@gmail.com/Psi+" to="alice@yahoo.com" id="aadaa"
xml:lang="en">
<subject>A big example</subject>
<subject xml:lang="fr">A big example</subject>
<body>a simple IM message</body>
<body xml:lang="fr">I don’t speak French</body>
<thread parent="07a9311b">ef993107</thread>
<html xmlns="http://jabber.org/protocol/xhtml-im">
<body xmlns="http://www.w3.org/1999/xhtml">
<p>I can<span style="font-style: italic">get</span> complicated</p>
</body>
</html>
</message>
<message>
• But more importantly, it’s UDP or Push
• A message with an arbitrary <xs:any/> payload is sent to a specific address
• You may get an error response back, but it’s not required
• While <message/> began as an IM it’s a building block for any kind of protocol
<message type="chat" from="bob@gmail.com/Psi+" to="alice@yahoo.com" id="aadaa">
<composing xmlns="http://jabber.org/protocol/chatstates"/>
<request xmlns="urn:xmpp:receipts"/>
</message>
<message type="chat" from="bob@gmail.com/Psi+" to="alice@yahoo.com" id="aadaa">
<error type="cancel">
<gone xmlns="urn:ietf:params:xml:ns:xmpp-stanzas">
alice@yahoo.com
</gone>
</error>
</message>
<presence>
• <presence /> is multi-purpose
• It allows a resource to request access to information, to confirm or deny that
access, and to send asynchronous updates when information changes
• And just like <message> it’s a communications model for building more complex
protocols: Publish-Subscribe or Broadcast
Publish-Subscribe:
<presence from="bob@gmail.com" to="alice@yahoo.com" id="e7ff18" type="subscribe"/>
<presence from="alice@yahoo.com" to="bob@gmail.com" id="pres1" type="subscribed"/>
Update Broadcast:
<presence from="bob@gmail.com/Psi+" to="alice@yahoo.com">
<show>away</show>
<status>I am not here to take your call right now</status>
</presence>
Join the Group Channel #xmpp_chat with nickname bobryan:
<presence from="bob@gmail.com/Psi+" to="xmpp_chat@gmail.com/bobryan" id="a814df">
<x xmlns="http://jabber.org/protocol/muc"/>
</presence>
<presence>
• Presence relationships are long-lived
• Persistently stored in a database, and the server is responsible for maintaining them
• Presence relationships are one-way
• Bob may subscribe to Alice, but that doesn’t mean Alice subscribes to Bob
• This is very different than SIP, and can offer challenges in bridging the two protocols
<iq>
• IQ is Request-Response and it’s the workhorse of new XMPP interactions
• The requests have a type of get or set and must receive a response of result or error
• Requests must have at least one element in them that defines the request, and a
successful result will have elements that contain the answer
• IQs can address anything which can be named: users, user endpoints, servers,
components, channels…
<iq from="bob@gmail.com/Psi+" to="alice@yahoo.com" id="e7ff18" type="get">
… must have an element that defines the request …
</iq>
Query the roster: <query xmlns="jabber:iq:roster"/>
Query information about an entity: <query xmlns="jabber:iq:disco#info"/>
Extensible
• XMPP started in 1999
• As such, there may be a little baggage to deal with
• 2 official collections of RFCs + “pre-standard”
• 314 registered extensions (XEPs), some with multiple versions
• But XMPP is designed for extension. It makes it really easy. It tries to advertise
everything and let the user make their own choices
So Why All the XMPP Talk?
IM is a Social Toy, Right?
Business Critical Functionality
Security’s a User Problem
 Phishing & SPIM
 Malware
 Regulatory Compliance
 Sarbanes Oxley
 HIPPA
 Many others…
We’re OK now
19
But IM Grew Up
• It’s now Unified Communications, and instant messaging is just a
useful after-thought
• Unified Communications market estimates*
• $100’s M in 2007, $4B in 2011
• PBX replacement lifecycle is 3-7 years
20
Meet your Next Phone
• It’s an IM client
• It’s a video phone
• It shares presentations, applications, your
desktop…
• It’s always on
• It builds on many different protocols and has
driver level access to your media devices
• And it is running on everything: your laptop,
your desktop, your desk phone, your iPad,
your mobile phone, in your web browser,
in SharePoint…
21
FinServ and the IM Clearing House
• Since 1999 banks have tried to create a single, federated IM
community
• But the bankers stayed where the money was
22
What the Private Sector Can’t Do
• For 10 years Fortune 500 companies couldn’t get the
industry to standardize
• Governments and the US Department of Defense have
spoken
23
And Hello Federation
• And the Department of Defense required what the business
community has only been able to dream about
• All instant messaging and presence systems approved for sale to
the US DoD must federate over XMPP and interoperate between
vendors
• http://www.disa.mil/Services/NetworkServices/UCCO/~/media/Files/DISA/Services/UCCO/UCR2008Change-3/12UCR08Chg3Section57.pdf
24
The Front Door
And what you can find if you open it
<stream:stream>
• The stream is the XMPP transport
• It provides flow control, error handling, and a growing number of extension protocols
• In server 2 server it is uni-directional
• Stanzas flow from Client to Server
• Each end initiates their own stream
• The bidi extension addresses this interesting design choice
• Streams inherently have insecure introduction problems; TLS is negotiated from a
clear-text beginning
Client Initiation
• Two different rule sets
• Client 2 Server, the jabber:client namespace
• Server 2 Server, the jabber:server namespace
• One version to cover more than a decade of rule changes
• Also can get “no version”
• Version=“0.9”
• This begins the “client to server” XML document
<?xml version="1.0"?>
<stream:stream xmlns="jabber:server"
xmlns:stream="http://etherx.jabber.org/streams"
from="google.com"
to="yahoo.com"
version="1.0">
Server Response
• The server starts the same way, agreeing to namespace and reversing the to and from
• The server also sends the <stream:features>, the capabilities of the server “at this
stage”
• The client selects based on capabilities, like TLS cipher suites
• And like TLS cipher suites… you can downgrade
<stream:features>
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
<compression xmlns="http://jabber.org/features/compress">
<method>zlib</method>
</compression>
<bidi xmlns="urn:xmpp:features:bidi"/>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<mechanism>EXTERNAL</mechanism>
<mechanism>DIGEST-MD5</mechanism>
<mechanism>PLAIN</mechanism>
</mechanisms>
<dialback xmlns="urn:xmpp:features:dialback">
<errors/>
</dialback>
</stream:features>
What Should Happen
•
Each time an important feature is negotiated, the client must re-start the stream
(over the same transport)
•
So order for jabber:server should be:
1. <starttls/> with a <required/> and nothing else (establish stream security)
2. Client negotiates TLS and sends a new <stream:stream>
3. <mechanisms/> with a <required/> and nothing else (establish client
authentication)
4. Client negotiates SASL authentication and sends a new <stream:stream>
5. Other features as appropriate
•
But if you offer it the client can choose, and the previous slide said you can
proceed without TLS, without authentication, and without even the weak
DialBack mechanism
29
The XMPP Stream (S2S)
30
Taking Advantage of Complexity
• http://www.ldelgado.es/index.php?dir=aplicaciones/xmpploit
• Not surprisingly people get it wrong
• A requirement for encryption and no plain-text passwords is subverted even when
the server requires TLS to communicate
A Little More Clearly
<stream:stream from="gmail.com" id="79E36D297FCCA359" version="1.0" …
xmlns="jabber:client">
<stream:features>
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-tls">
<mechanism>X-GOOGLE-TOKEN</mechanism>
<mechanism>X-OAUTH2</mechanism>
</mechanisms>
</stream:features>
But even after stating that TLS and a non-password authentication mechanism
are required, gmail.com will still accept a plaintext stream authenticated with a
plaintext password.
Why Cheat When You Are Invited?
•
The front door is open
•
_xmpp-server._tcp.{the domain you’re interested in} points the way to
jabber:server handler for the domain
•
The bar to entry is hopefully a TLS implementation, a DNS entry, and a
certificate that matches your domain name… but Important Bank may not want
to talk to you
•
They will almost certainly talk to gmail.com, live.com, yahoo.com, or another
PIC (public internet cloud) provider
•
So what can we discover without directly messaging a user?
Asking the Right Questions
Narrowing the Field
Spec
RFC 3920 [2]
RFC 3921 [3]
Service Discovery [4]
Entity
Capabilities [5]
Jabber Component
Protocol [6]
Privacy Lists [7]
Simple
Communications
Blocking [8]
BOSH [9]
XMPP Over
BOSH [10]
vcard-temp [11]
Personal Eventing
Protocol [12]
Multi-User Chat [13]
Chat State
Notifications [14]
Core Server
✓
✓
Core Client
✓
✓
Advanced Server
✓
✓
Advanced Client
✓
✓
✓
✓
✓
✓
N/A
✓
N/A
✓
✓
N/A
✓
N/A
✕
✕
✓
✕
✕
✕
✓
✕
✕
✕
✓*
✕
✕
✕
✓*
✕
✕
✕
✓
✓
✕
✕
✓
✓
✕
✕
✓*
✓ **
N/A
✕
N/A
✓
XEP-114: Jabber Components
•
If we can get a component connection we have a trusted place on the XMPP
network
•
Perhaps we could brute-force passwords and gain external component status
•
Practically, this isn’t rolled out in a way that gives us a large enough target space
XEP-115: Entity Capabilities
•
Offers new nodes to Service Discovery
•
Advertised through <c/> elements in <presence> stanzas
•
Presence requires a direct message to a user and will likely pop up an
Accept/Deny dialog
XEP-163: Personal Eventing Protocol
•
The most interesting thing you can get here is GPS location changes if the client
broadcasts this data
•
Broadcast comes through <presence> stanzas
•
Presence requires a direct message to a user and will likely pop up an
Accept/Deny dialog
XEP-85: Chat State Notifications
•
Knowing that the user is typing isn’t what we’re going for
So What IS Interesting?
•
Service Discovery: walking the discovery chain tells us what the server
implements, what components are connected, and anything else that the server
decides to advertise
•
Multi-User Chat: the meta-data available about a company through channel
names, descriptions, configurations, and user lists can be staggering if the
company is indiscrete
•
Vcard-temp: it’s more useful than you think
Service Discovery: Disco#Info
•
Tell me everything I want to know about you
<iq from='example.com' to=‘bob@example.com/Psi+' type='result' id='c783849d'>
<query xmlns='http://jabber.org/protocol/disco#info'>
<identity category='server' type='im' name='Isode M-Link 15.1v3'/>
<identity category='pubsub' type='pep'/>
<identity category='directory' type='user'/>
<feature var='http://jabber.org/protocol/disco#info'/>
<feature var='http://jabber.org/protocol/disco#items'/>
<feature var='urn:xmpp:ping'/>
<feature var='vcard-temp'/>
<feature var='http://jabber.org/protocol/commands'/>
<feature var='http://jabber.org/protocol/compress'/>
<feature var='jabber:iq:auth'/>
<feature var='jabber:iq:private'/>
<feature var='jabber:iq:version'/>
<feature var='urn:xmpp:blocking'/>
<feature var='jabber:iq:search'/>
</query>
</iq>
Service Discovery: Disco#Items
•
Tell me what other names you think I might be interested in
<iq from='example.com' to=''bob@example.com/Psi+' type='result' id='64b47a0b'>
<query xmlns='http://jabber.org/protocol/disco#items'>
<item jid='chat.example.com' name='chat.example.com'/>
<item jid='bob@example.com'/>
</query>
</iq>
<iq from='chat.example.com' to=‘bob@example.com/Psi+' type='result' id='8d2d3db4'>
<query xmlns='http://jabber.org/protocol/disco#info'>
<identity category='conference' name='chat.example.com' type='text'/>
<feature var='http://jabber.org/protocol/muc'/>
<feature var='http://jabber.org/protocol/muc#unique'/>
</query>
</iq>
Disco#Items on a MUC Component
•
Once you know you have a conference server, you can ask for channel names
<iq from='chat.example.com' to='bob@example.com/Psi+' type='result' id='881a2076'>
<query xmlns='http://jabber.org/protocol/disco#items'>
<item jid='water_cooler@chat.example.com' name='I am a room title.'/>
<item jid='closed@chat.example.com' name='Closed, Go Away'/>
<item jid='open@chat.example.com' name='Open Discussion'/>
</query>
</iq>
Meta-Data: Disco#Info on a Channel
•
And the channel name allows you to ask for channel configuration and channel
user lists
<iq from='closed@chat.example.com' to='bob@example.com/Psi+' type='result' id='e8e0611c'>
<query xmlns='http://jabber.org/protocol/disco#info'>
<identity category='conference' name='Closed Channel' type='text'/>
<feature var='http://jabber.org/protocol/muc'/>
<feature var='http://jabber.org/protocol/muc#unique'/>
<feature var='muc_membersonly'/>
<feature var='muc_public'/>
<feature var='muc_passwordprotected'/>
<feature var='muc_persistent'/>
<feature var='muc_nonanonymous'/>
<x xmlns='jabber:x:data' type='result'>
<field var='FORM_TYPE' type='hidden'><value>http://jabber.org/protocol/muc#roominfo</value></field>
<field label='Description' var='muc#roominfo_description' type='text-single'>
<value>This is a listed, moderated, member-only, password-protected, persistent room.</value>
</field>
<field label='Subject Modifiable' var='muc#roominfo_subjectmod' type='boolean'><value>1</value></field>
<field label='Current Occupants' var='muc#roominfo_occupants' type='text-single'><value>0</value></field>
</x>
</query>
</iq>
User List: Disco#Items on a Channel
•
If you ask a channel for items, it gives you back the list of users
•
The names are not “usernames”, they’re channel nicknames
•
A user can have a different nickname per channel but clients define a more
structured experience
<iq from='open@chat.example.com' to='bob@example.com/Psi+' type='result' id='9f2584ae'>
<query xmlns='http://jabber.org/protocol/disco#items'>
<item jid='open@chat.example.com/Swift Boddington'/>
<item jid='open@chat.example.com/dick'/>
</query>
</iq>
Swift Boddington is the swift.im client which uses the full name by default. Dick is
from Psi+ which defaults to the username.
Group Chat is About Community
• Metadata needs to be available. It helps create a useable community, and
external partners are part of that community
• Humans love meaningful names; they help drive choice and decision
• bigbank_libor_research@example.com
• “Using Bermudan SWAPTIONs to limit BIGBANK exposure”
• Does example.com do business with BIGBANK and consider them a risk?
• Other data can be just as revealing
•
•
Is a room public or private?
•
Is the room invite-only, members-only, password protected?
•
Who spends time in the room? New employees or the heads of major divisions?
And configuration can guide your actions
•
Does the channel accept XHTML input and messages from non-members?
•
Will the channel reveal full user JIDs to channel participants and is it an open channel?
•
Can you request vCard information for channel participants?
47
Group Chat Visually
48
But Getting to Users is Hard
•
•
XEP-191: Simple Communications Blocking
•
You shouldn’t be able to enumerate users based on response differentiation
•
Or tell that someone is blocking you
•
Messages, Presence Probes, and IQs should all receive the same error: serviceunavailable
To find out about a user you need to know their full JID… the JID for a connected
resource
What is a JID?
If you see
It is…
example.com
This is a domain JID, the name of an XMPP
domain
chat.example.com
This is a component, another name which
offers specific services in the domain
bob@example.com
A bare JID, the main address of a user
bob@example.com/Psi+
A full JID, this specifies a running resource.
The resource ID should be random
fx_trading@chat.example.com
A MUC channel (it’s at the MUC component)
Fx_trading@chat.example.com/bob
A nickname in a MUC channel, this doesn’t
necessarily match a username
Disco#Info on a User
Disco#Info on a …
Yields
Bare JID, valid or invalid username
Service-Unavailable
Valid username + invalid resource ID
Service-Unavailable
Valid username + valid resource ID
Full Disco#Info results for the specific
client endpoint
We can use MUC nicknames to guess at valid usernames, but to enumerate an existing
account we also require a resource ID.
Weak Resource IDs
Client
Default Resource ID Behavior
Spark
“Spark 2.6.3”
Psi+
“Psi+”, user can choose to use hostname
Pidgin
The user must type one in
Exodus
Uses hostname, offers “Home”, “Work”, and
“Exodus” as other options
Citron IM
“citron.hostname”, but user can choose to use
only the hostname
Swift
Generated random value
Google Talk
Talk.v{version + random value}
iChat
unknown
vCards and Finding Users
•
So you need to guess a user name, but at the same time guess a resource ID and
have the right client connected while you’re doing it
•
If not impossible, this is certainly not practical
•
But contact information helps you decide if you have the correct person
•
•
Email address
•
Office address
•
Position and title
•
Full name
•
Picture
And that occurs before you establish a relationship
53
vCard-temp Enumeration
“If no vCard exists or the user does not exist, the server MUST return a stanza error, which
SHOULD be either <service-unavailable/> or <item-not-found/> (but the server MUST return
the same error condition in both cases to help prevent directory harvesting attacks).”
•
•
•
Resource IDs are hard, but it’s more effective to guess once you know a JID is valid
With vcard-temp the target user does not need to be connected
Oops…
54
Conclusion
What Did We Get?
•
Without exploiting poor server implementation we found:
•
Interesting services with a possible attack surface
•
Meta-data which, in practice, is detailed and confidential
•
Clues to existing user accounts
•
A way to enumerate those accounts
•
Our test platform has a more secure default configuration than most. Those
controls can be relaxed, and learning how to tighten them further is very difficult
•
A tool is planned to make this easier to do, but at the moment it’s a jumble of
C++ code built on top of an extended copy of Swiften
56
Just How Far Can You Go?
•
HTTP generally gets you into the DMZ, and may get you to a database sitting in
the corporate network
•
XMPP gets you into the DMZ, then into the internal network, and finally right
onto the desktops and mobile devices of every user in the company
•
Unified Communications gives you not only instant messaging to play with. You
have audio and video codecs, remote desktop and app sharing protocols, tie-ins
with calendaring systems, and even the PSTN network
57
And it’s complicated
Really complicated… so even if that server says it requires TLS to continue, does it?
Thank You
Jason Bubolz
• Security Analyst at iSEC Partners
• Formerly a developer and security architect for Parlano Inc., an enterprise groupchat company, and senior development lead on Microsoft Lync Server
• jason@isecpartners.com
Rachel Engel
• Senior Security Analyst at iSEC Partners
• Former developer for Parlano Inc., an enterprise group-chat company
• rachel@isecpartners.com
59
UK Offices
North American Offices
Australian Offices
Manchester - Head Office
San Francisco
Sydney
Cheltenham
Atlanta
Edinburgh
New York
Leatherhead
Seattle
London
Thame
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland
Title
• Copy here
• Copy here
• Copy here
• Copy here
• Copy here
• Copy here
Title
Subtitle
• Copy here
• Copy here
• Copy here
• Copy here
Subtitle
• Copy here
• Copy here
• Copy here
• Copy here
Title (Image Slide)
Title (Table Slide)
(£m)
(£m)
%
Copy here
0
0
0
0
Heading
0
0
0
0
Copy here
0
0
0
0
Copy here
0
0
0
0
Total
0
0
0
0
Heading
Caption
Download