[ejabberd] Possible security issue with ejabberd 2.1.2 (format string attack) ?

Badlop badlop at gmail.com
Thu May 27 15:24:55 MSD 2010


2010/5/27 SegFault <segfaultmaker at gmail.com>:
> I'm not an expert, but I was running test with OpenVAS (nessus equivalent in
> opensource) to test my server and here what he said under jabber-server
> (5269/tcp) :
> ---
> Reported by NVT "Generic format string" (1.3.6.1.4.1.25623.1.0.11133):
>
> The remote service is vulnerable to a format string attack
> An attacker may use this flaw to execute arbitrary code on this host.
>
> Solution : upgrade your software or contact your vendor and inform it of
> this vulnerability
> See also : http://www.securityfocus.com/archive/1/81565
> Risk factor : High
> ---
>
> Of course it seems to be a generic routine as he didn't identified ejabberd,
> and of the course the link it give seems dead....
> As the report is quite scary : execute arbitrary code, risk high ; I would
> like to know if the flaw is confirmed, false positive, or unsure.
> (If it's a false positive, It might be a good idea to warn OpenVAS people
> about this with hope they can correct that).


I installed OpenVAS 2.0.3 from Debian sid package.
It found problems in my openssh and mysql, so I updated those :)

Regarding ejabberd, I installed and tested:
ejabberd 2.1.x, 2.1.3, 2.1.2, 2.1.1, 2.1.0

During the tests, ejabberd got connections to the listened ports.
I had all OpenVAS components enabled, 12157 in total.

So, I coundn't reproduce what you say.

As you pointed, the message you got is generic, and the URL doesn't
provide more details.
Reading your comment, it seems the program first connects to
ejabberd's 5269 S2S port, sends some strings, and decides there's a
vulnerability.

One way to know more details is that you sniff the traffic to that port.
In my tests, that is the  traffic logged:


$ sudo tcpflow -i lo -ec tcp port 5269
tcpflow[28215]: listening on lo

127.000.000.001.49928-127.000.000.001.05269:
GET / HTTP/1.0

127.000.000.001.05269-127.000.000.001.49928:
<?xml version='1.0'?><stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
 xmlns='jabber:server' xmlns:db='jabber:server:dialback' id='1975864844'>
 <stream:error><xml-not-well-formed
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
 </stream:error></stream:stream>

127.000.000.001.50015-127.000.000.001.05269:
are you dead ?

127.000.000.001.05269-127.000.000.001.50015:
<?xml version='1.0'?><stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
 xmlns='jabber:server' xmlns:db='jabber:server:dialback' id='1940265211'>
 <stream:error><xml-not-well-formed
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
 </stream:error></stream:stream>

127.000.000.001.50025-127.000.000.001.05269:
are you dead ?

127.000.000.001.05269-127.000.000.001.50025:
<?xml version='1.0'?><stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
 xmlns='jabber:server' xmlns:db='jabber:server:dialback' id='324160281'>
 <stream:error><xml-not-well-formed
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
 </stream:error></stream:stream>

127.000.000.001.38034-127.000.000.001.05269:
are you dead ?

127.000.000.001.05269-127.000.000.001.38034:
<?xml version='1.0'?><stream:stream
xmlns:stream='http://etherx.jabber.org/streams'
 xmlns='jabber:server' xmlns:db='jabber:server:dialback' id='1751587745'>
 <stream:error><xml-not-well-formed
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/>
 </stream:error></stream:stream>



---
Badlop
ProcessOne


More information about the ejabberd mailing list