[ejabberd] Possible security issue with ejabberd 2.1.2 (format string attack) ?

Sylvain Niles sylvain.niles at gmail.com
Thu May 27 22:43:50 MSD 2010


One other thing to keep in mind is that even if the formatted string were to
somehow exploit a flaw in ejabberd it would execute arbitrary code in the
Erlang VM. I don't believe you can store something like mnesia:delete in the
XML CDATA and actually have it be executed since it's never evaluated by the
running function, it is merely passed around stored in a tuple. The worse
case I could imagine is if they negotiated a successful anonymous stream and
attempted to DOS the router or IQ handler but the shapers should take care
of that without breaking a sweat.


On Thu, May 27, 2010 at 10:58 AM, SegFault <segfaultmaker at gmail.com> wrote:

> Hi,
>
> Thanks for your answer.
> I enabled all openvas component, but they are updated using command
> "openvas-
> nvt-sync", I have about 17200 component. Don't know if difference can come
> from
> here.
>
> Le jeudi 27 mai 2010 13:29:34, Badlop a écrit :
> > > 2010/5/27 SegFault <segfaultmaker at gmail.com>:
> > >> I'm not an expert, but I was running test with OpenVAS (nessus
> > >> equivalent in opensource) to test my server and here what he said
> under
> > >> jabber-server (5269/tcp) :
> > >> ---
> >
> > >> Reported by NVT "Generic format string" (1.3.6.1.4.1.25623.1.0.11133):
> > Oh, I forgot an important sentence in my email:
> >
> > 2010/5/27 Badlop <badlop at gmail.com>:
> > > Regarding ejabberd, I installed and tested:
> > > ejabberd 2.1.x, 2.1.3, 2.1.2, 2.1.1, 2.1.0
> > >
> > > During the tests, ejabberd got connections to the listened ports.
> >
> > + "and finally OpenVAS didn't provide any warnings under the 5222,
> > 5269, ... ports, with any ejabberd version."
> >
> > > I had all OpenVAS components enabled, 12157 in total.
> > >
> > > So, I coundn't reproduce what you say.
> >
> > ---
> > Badlop
> > ProcessOne
> > _______________________________________________
> > ejabberd mailing list
> > ejabberd at jabber.ru
> > http://lists.jabber.ru/mailman/listinfo/ejabberd
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20100527/21c928bf/attachment.html>


More information about the ejabberd mailing list