Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Cisco Jabber: XMPP Stanza Smuggling with stream:stream tag
Ifratric - Google Project ZeroPosted 3 Years Ago- Cisco Jabber is a video conferencing service, similar to Zoom. For instant messaging, it uses a protocol called XMPP over XML. Within XMPP, there are short snippets of XML called stanzas that are sent over a stream connection by using the Gloox XMPP library. Both the control and message requests go over the same stream.
- From similar research in Zoom, what if a message request could be smuggled into the control of the message? In Zoom, this was done using a unicode decoder difference between the client and the server.
- Cisco modified the Gloox XMPP library in a few places. While parsing the XMPP stanzas, the original library will exit upon seeing a new
stream:streamtag, effectively ignoring the attempted escape. However, in the Cisco version, the functioncleanup()is called within this code block instead. This resets the parser state and any XML tag seen after this point will become the new root tag. - Now, an attacker can arbitrarily control the data in the stream. This allows for control messages and other things to be injected into the server-side. This simple reset of the parser makes this possible. In terms of what can be done with this exploit, nothing is said. With Zoom, it was possible to get code execution using this though. Overall, interesting bug and variant of the Zoom client!
