Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unified Communications Information Loss Through the Front Door.

Similar presentations

Presentation on theme: "Unified Communications Information Loss Through the Front Door."— Presentation transcript:

1 Unified Communications Information Loss Through the Front Door

2 This Federation Thing

3 Federation is an Old Story Bob wants to send Alice a message, but he only knows her email address Bob doesn’t have any details about Alice’s mail server or who delivers his message How does Bob find the path to Alice?

4 MX: Gluing Email Together DNS provides the answer; MX records bind domains together The two domains can find each other and exchange messages without previously knowing anything about the other party This is federation The two domains may authenticate one another Each domain trusts the other to authenticate and identify their own user Non-authoritative answer: MX preference = 1, mail exchanger = MX preference = 1, mail exchanger = MX preference = 1, mail exchanger =

5 The Many Names of IM Instant messaging has failed at this for many years Multiple networks, multiple protocols, multiple user identities Instant messaging vendors want to own your attention

6 IM Federation Instant messaging is finally catching up to email You can have a single identity and still chat with all of your friends. That’s IM federation Instead of one protocol per network you now have SIP Or more importantly, you have XMPP

7 XMPP A brief and biased primer

8 What is XMPP? The Extensible Messaging and Presence Protocol A layer 7 transport to build flexible protocols Bound to other transports including TCP and HTTP A structured XML document built over time where each element creates another protocol element 3 main building blocks that are called stanzas

9 The building block of Instant Messages in XMPP A message has a body It can also have more A subject A thread a simple IM message

10 A message can get very complicated It can support multiple languages, threading references, XHTML formating… Values can be UNICODE because the XML character encoding should be UTF-8 A big example a simple IM message I don’t speak French ef993107 I can get complicated

11 But more importantly, it’s UDP or Push A message with an arbitrary payload is sent to a specific address You may get an error response back, but it’s not required While began as an IM it’s a building block for any kind of protocol

12 is multi-purpose It allows a resource to request access to information, to confirm or deny that access, and to send asynchronous updates when information changes And just like it’s a communications model for building more complex protocols: Publish-Subscribe or Broadcast Publish-Subscribe: Update Broadcast: away I am not here to take your call right now Join the Group Channel #xmpp_chat with nickname bobryan:

13 Presence relationships are long-lived Persistently stored in a database, and the server is responsible for maintaining them Presence relationships are one-way Bob may subscribe to Alice, but that doesn’t mean Alice subscribes to Bob This is very different than SIP, and can offer challenges in bridging the two protocols

14 IQ is Request-Response and it’s the workhorse of new XMPP interactions The requests have a type of get or set and must receive a response of result or error Requests must have at least one element in them that defines the request, and a successful result will have elements that contain the answer IQs can address anything which can be named: users, user endpoints, servers, components, channels… … must have an element that defines the request … Query the roster: Query information about an entity:

15 Extensible XMPP started in 1999 As such, there may be a little baggage to deal with 2 official collections of RFCs + “pre-standard” 314 registered extensions (XEPs), some with multiple versions But XMPP is designed for extension. It makes it really easy. It tries to advertise everything and let the user make their own choices

16 So Why All the XMPP Talk?

17 IM is a Social Toy, Right?

18 Business Critical Functionality

19 Security’s a User Problem Phishing & SPIM Malware Regulatory Compliance Sarbanes Oxley HIPPA Many others… We’re OK now 19

20 But IM Grew Up It’s now Unified Communications, and instant messaging is just a useful after-thought Unified Communications market estimates* $100’s M in 2007, $4B in 2011 PBX replacement lifecycle is 3-7 years 20

21 Meet your Next Phone It’s an IM client It’s a video phone It shares presentations, applications, your desktop… It’s always on It builds on many different protocols and has driver level access to your media devices And it is running on everything: your laptop, your desktop, your desk phone, your iPad, your mobile phone, in your web browser, in SharePoint… 21

22 FinServ and the IM Clearing House Since 1999 banks have tried to create a single, federated IM community But the bankers stayed where the money was 22

23 What the Private Sector Can’t Do For 10 years Fortune 500 companies couldn’t get the industry to standardize Governments and the US Department of Defense have spoken 23

24 And Hello Federation And the Department of Defense required what the business community has only been able to dream about All instant messaging and presence systems approved for sale to the US DoD must federate over XMPP and interoperate between vendors Services/UCCO/~/media/Files/DISA/Services/UCCO/UCR2008- Change-3/12UCR08Chg3Section57.pdf Services/UCCO/~/media/Files/DISA/Services/UCCO/UCR2008- Change-3/12UCR08Chg3Section57.pdf 24

25 The Front Door And what you can find if you open it

26 The stream is the XMPP transport It provides flow control, error handling, and a growing number of extension protocols In server 2 server it is uni-directional Stanzas flow from Client to Server Each end initiates their own stream The bidi extension addresses this interesting design choice Streams inherently have insecure introduction problems; TLS is negotiated from a clear-text beginning

27 Client Initiation Two different rule sets Client 2 Server, the jabber:client namespace Server 2 Server, the jabber:server namespace One version to cover more than a decade of rule changes Also can get “no version” Version=“0.9” This begins the “client to server” XML document

28 Server Response The server starts the same way, agreeing to namespace and reversing the to and from The server also sends the, the capabilities of the server “at this stage” The client selects based on capabilities, like TLS cipher suites And like TLS cipher suites… you can downgrade zlib EXTERNAL DIGEST-MD5 PLAIN

29 What Should Happen Each time an important feature is negotiated, the client must re-start the stream (over the same transport) So order for jabber:server should be: 1. with a and nothing else (establish stream security) 2.Client negotiates TLS and sends a new 3. with a and nothing else (establish client authentication) 4.Client negotiates SASL authentication and sends a new 5.Other features as appropriate But if you offer it the client can choose, and the previous slide said you can proceed without TLS, without authentication, and without even the weak DialBack mechanism 29

30 The XMPP Stream (S2S) 30

31 Taking Advantage of Complexity Not surprisingly people get it wrong A requirement for encryption and no plain-text passwords is subverted even when the server requires TLS to communicate

32 A Little More Clearly X-GOOGLE-TOKEN X-OAUTH2 But even after stating that TLS and a non-password authentication mechanism are required, will still accept a plaintext stream authenticated with a plaintext password.

33 Why Cheat When You Are Invited? The front door is open _xmpp-server._tcp.{the domain you’re interested in} points the way to jabber:server handler for the domain The bar to entry is hopefully a TLS implementation, a DNS entry, and a certificate that matches your domain name… but Important Bank may not want to talk to you They will almost certainly talk to,,, or another PIC (public internet cloud) provider So what can we discover without directly messaging a user?

34 Asking the Right Questions

35 Narrowing the Field SpecCore ServerCore ClientAdvanced ServerAdvanced Client RFC 3920RFC 3920 [2]2 ✓✓✓✓ RFC 3921RFC 3921 [3]3 ✓✓✓✓ Service DiscoveryService Discovery [4]4 ✓✓✓✓ Entity CapabilitiesEntity Capabilities [5]5 N/A ✓ ✓ Jabber Component ProtocolJabber Component Protocol [6]6 ✓ N/A ✓ Privacy ListsPrivacy Lists [7]7 ✕✕✓✕ Simple Communications BlockingSimple Communications Blocking [8]8 ✕✕✓✕ BOSHBOSH [9]9 ✕✕✓ * ✕ XMPP Over BOSHXMPP Over BOSH [10]10 ✕✕✓ * ✕ vcard-tempvcard-temp [11]11 ✕✕✓✓ Personal Eventing ProtocolPersonal Eventing Protocol [12]12 ✕✕✓✓ Multi-User ChatMulti-User Chat [13]13 ✕✕✓ * ✓ ** Chat State NotificationsChat State Notifications [14]14 N/A ✕ ✓

36 XEP-114: Jabber Components If we can get a component connection we have a trusted place on the XMPP network Perhaps we could brute-force passwords and gain external component status Practically, this isn’t rolled out in a way that gives us a large enough target space

37 XEP-115: Entity Capabilities Offers new nodes to Service Discovery Advertised through elements in stanzas Presence requires a direct message to a user and will likely pop up an Accept/Deny dialog

38 XEP-163: Personal Eventing Protocol The most interesting thing you can get here is GPS location changes if the client broadcasts this data Broadcast comes through stanzas Presence requires a direct message to a user and will likely pop up an Accept/Deny dialog

39 XEP-85: Chat State Notifications Knowing that the user is typing isn’t what we’re going for

40 So What IS Interesting? Service Discovery: walking the discovery chain tells us what the server implements, what components are connected, and anything else that the server decides to advertise Multi-User Chat: the meta-data available about a company through channel names, descriptions, configurations, and user lists can be staggering if the company is indiscrete Vcard-temp: it’s more useful than you think

41 Service Discovery: Disco#Info Tell me everything I want to know about you

42 Service Discovery: Disco#Items Tell me what other names you think I might be interested in

43 Disco#Items on a MUC Component Once you know you have a conference server, you can ask for channel names

44 Meta-Data: Disco#Info on a Channel And the channel name allows you to ask for channel configuration and channel user lists This is a listed, moderated, member-only, password-protected, persistent room. 1 0

45 Channel Types Tell me what other names you think I might be interested in

46 User List: Disco#Items on a Channel If you ask a channel for items, it gives you back the list of users The names are not “usernames”, they’re channel nicknames A user can have a different nickname per channel but clients define a more structured experience Swift Boddington is the client which uses the full name by default. Dick is from Psi+ which defaults to the username.

47 Group Chat is About Community Metadata needs to be available. It helps create a useable community, and external partners are part of that community Humans love meaningful names; they help drive choice and decision “Using Bermudan SWAPTIONs to limit BIGBANK exposure” Does do business with BIGBANK and consider them a risk? Other data can be just as revealing Is a room public or private? Is the room invite-only, members-only, password protected? Who spends time in the room? New employees or the heads of major divisions? And configuration can guide your actions Does the channel accept XHTML input and messages from non-members? Will the channel reveal full user JIDs to channel participants and is it an open channel? Can you request vCard information for channel participants? 47

48 Group Chat Visually 48

49 But Getting to Users is Hard XEP-191: Simple Communications Blocking You shouldn’t be able to enumerate users based on response differentiation Or tell that someone is blocking you Messages, Presence Probes, and IQs should all receive the same error: service- unavailable To find out about a user you need to know their full JID… the JID for a connected resource

50 What is a JID? If you seeIt is… example.comThis is a domain JID, the name of an XMPP domain chat.example.comThis is a component, another name which offers specific services in the domain bob@example.comA bare JID, the main address of a user full JID, this specifies a running resource. The resource ID should be random fx_trading@chat.example.comA MUC channel (it’s at the MUC component) nickname in a MUC channel, this doesn’t necessarily match a username

51 Disco#Info on a User Disco#Info on a …Yields Bare JID, valid or invalid usernameService-Unavailable Valid username + invalid resource IDService-Unavailable Valid username + valid resource IDFull Disco#Info results for the specific client endpoint We can use MUC nicknames to guess at valid usernames, but to enumerate an existing account we also require a resource ID.

52 Weak Resource IDs ClientDefault Resource ID Behavior Spark“Spark 2.6.3” Psi+“Psi+”, user can choose to use hostname PidginThe user must type one in ExodusUses hostname, offers “Home”, “Work”, and “Exodus” as other options Citron IM“citron.hostname”, but user can choose to use only the hostname SwiftGenerated random value Google TalkTalk.v{version + random value} iChatunknown

53 vCards and Finding Users So you need to guess a user name, but at the same time guess a resource ID and have the right client connected while you’re doing it If not impossible, this is certainly not practical But contact information helps you decide if you have the correct person Email address Office address Position and title Full name Picture And that occurs before you establish a relationship 53

54 vCard-temp Enumeration “If no vCard exists or the user does not exist, the server MUST return a stanza error, which SHOULD be either or (but the server MUST return the same error condition in both cases to help prevent directory harvesting attacks).” Resource IDs are hard, but it’s more effective to guess once you know a JID is valid With vcard-temp the target user does not need to be connected Oops… 54

55 Conclusion

56 What Did We Get? Without exploiting poor server implementation we found: Interesting services with a possible attack surface Meta-data which, in practice, is detailed and confidential Clues to existing user accounts A way to enumerate those accounts Our test platform has a more secure default configuration than most. Those controls can be relaxed, and learning how to tighten them further is very difficult A tool is planned to make this easier to do, but at the moment it’s a jumble of C++ code built on top of an extended copy of Swiften 56

57 Just How Far Can You Go? HTTP generally gets you into the DMZ, and may get you to a database sitting in the corporate network XMPP gets you into the DMZ, then into the internal network, and finally right onto the desktops and mobile devices of every user in the company Unified Communications gives you not only instant messaging to play with. You have audio and video codecs, remote desktop and app sharing protocols, tie-ins with calendaring systems, and even the PSTN network 57

58 And it’s complicated Really complicated… so even if that server says it requires TLS to continue, does it?

59 Thank You Jason Bubolz Security Analyst at iSEC Partners Formerly a developer and security architect for Parlano Inc., an enterprise group- chat company, and senior development lead on Microsoft Lync Server Rachel Engel Senior Security Analyst at iSEC Partners Former developer for Parlano Inc., an enterprise group-chat company 59

60 UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

61 Title Copy here

62 Title Subtitle Copy here Subtitle Copy here

63 Title (Image Slide)

64 Title (Table Slide) Caption (£m) % Heading Copy here0000 Heading0000 Copy here0000 0000 Total0000

Download ppt "Unified Communications Information Loss Through the Front Door."

Similar presentations

Ads by Google