powered by Jive Software

Gajim presence can DoS XMPPTCPConnection


#1

As mentioned in the timestamp parsing thread, it is an embarassingly dumb idea to crash your connection on attacker-controlled “invalid” input. If the attacker in question happens to be an outdated version of Gajim (like the latest 1.1.2 release), the following happens:

<presence id="39f94b2c-2397-4ad7-86b1-3ded01d900c0" to="censored/yaxim" from="muc/participant">
  <show>error</show>
  <c xmlns="http://jabber.org/protocol/caps" ver="KV4qaXUgvEqhWE7WEJoqvO6gTYA=" hash="sha-1" node="http://gajim.org"/>
  <x xmlns="vcard-temp:x:update"/>
  <x xmlns="http://jabber.org/protocol/muc#user"><item affiliation="none" role="participant"/></x>
  <delay xmlns="urn:xmpp:delay" stamp="2019-02-09T18:19:23Z" from="censored" />
</presence>

And then this:

AbstractXMPPConnection: Connection XMPPTCPConnection[censored/yaxim] (0) closed with error
AbstractXMPPConnection: java.lang.IllegalArgumentException: No enum constant org.jivesoftware.smack.packet.Presence.Mode.error
AbstractXMPPConnection:        at java.lang.Enum.valueOf(Enum.java:257)
AbstractXMPPConnection:        at org.jivesoftware.smack.packet.Presence$Mode.valueOf(Presence.java:395)
AbstractXMPPConnection:        at org.jivesoftware.smack.packet.Presence$Mode.fromString(Presence.java:432)
AbstractXMPPConnection:        at org.jivesoftware.smack.util.PacketParserUtils.parsePresence(PacketParserUtils.java:544)
AbstractXMPPConnection:        at org.jivesoftware.smack.util.PacketParserUtils.parseStanza(PacketParserUtils.java:159)
AbstractXMPPConnection:        at org.jivesoftware.smack.AbstractXMPPConnection.parseAndProcessStanza(AbstractXMPPConnection.java:1050)
AbstractXMPPConnection:        at org.jivesoftware.smack.tcp.XMPPTCPConnection.access$500(XMPPTCPConnection.java:151)
AbstractXMPPConnection:        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1078)
AbstractXMPPConnection:        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:1034)AbstractXMPPConnection:        at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:1050)
AbstractXMPPConnection:        at java.lang.Thread.run(Thread.java:764)

#2

I think I have explained to you the rationale and how you can prevent this from terminating the connection (setup a parsing exception callback) multiple times already.

I am not sure why the ‘invalid’ is in quotes, a value of ‘error’ for the ‘show’ element is not specified nor are custom values allowd, so it violates the XMPP standard (cf. RFC 6121 § 4.7.2.1).