[ejabberd] Possible security issue with ejabberd 2.1.2 (format string attack) ?

Konstantin Khomoutov flatworm at users.sourceforge.net
Thu May 27 15:23:40 MSD 2010


On Thu, 27 May 2010 10:06:06 +0200
SegFault <segfaultmaker at gmail.com> wrote:

> I'm not an expert, but I was running test with OpenVAS (nessus
> equivalent in opensource) to test my server and here what he said
> under jabber-server (5269/tcp) :
> ---
> Reported by NVT "Generic format string" (1.3.6.1.4.1.25623.1.0.11133):
> 
> 
> The remote service is vulnerable to a format string attack
> An attacker may use this flaw to execute arbitrary code on this host.
> 
> 
> Solution : upgrade your software or contact your vendor and inform it
> of this
> vulnerability
> See also : http://www.securityfocus.com/archive/1/81565
> Risk factor : High
> ---
>
> Of course it seems to be a generic routine as he didn't identified
> ejabberd, and of the course the link it give seems dead....
> As the report is quite scary : execute arbitrary code, risk high ; I
> would like to know if the flaw is confirmed, false positive, or
> unsure. (If it's a false positive, It might be a good idea to warn
> OpenVAS people about this with hope they can correct that).

Out of curiosity, I got the script by that OID (accessible from the main
page of the OpenVAS site) and looked at it -- the script does nothing
more than sending two strings over the socket and analyzing the returned
data. If I manually telnet to 5269 of my ejabberd 2.0.5 and paste
each of those strings to the remote, I get back the standard XML stanza
with the "XML not well-formed" error reported followed by socket
disconnect. That is expected behaviour. And yes, I doubt that ejabberd
internals apply any sort of sscanf() to the incoming XML streams it
processes. So I'm inclined to call this report a false positive.


More information about the ejabberd mailing list