#1147 Changing "to" address mid-negotiation causes privilege escalation from anonymous account to normal account
Reporter
nonfreepizza
Owner
MattJ
Created
Updated
Stars
★ (1)
Tags
Priority-High
Milestone-0.9
Security
Status-Fixed
Type-Defect
nonfreepizza
on
What steps will reproduce the problem?
1. Set up Prosody with at least two VirtualHosts, at least one of which has the SASL ANONYMOUS mechanism enabled and at least one of the remainder does not
2. Disallow users on an anonymous VirtualHost from sending stanzas to remote addresses
3. Connect a client to the anonymous VirtualHost and complete authentication with <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="ANONYMOUS"/>
4. Reset the stream but with the "to" attribute addressed to a VirtualHost which neither has SASL ANONYMOUS enabled nor disallows remote stanzas from being sent
5. Bind a resource as normal
6. Attempt to send remote stanzas
What is the expected output?
Prosody doesn't allow me to switch to a more privileged VirtualHost from one that disallows remote stanzas (or switch hosts at all for that matter)
What do you see instead?
Prosody routes stanzas normally as though I were connected to a legitimate, authenticated account on the main VirtualHost (albeit with a randomly generated localpart)
What version of the product are you using? On what operating system?
0.10.1 on GNU/Linux
Please provide any additional information below.
I tested the "new account" and discovered that stanzas addressed to the temporary account were ignored (not routed to the account) unless it was an error stanza
Zash
on
Thanks for the report.
We have developed a test case and verified the issue.
This appears to have been introduced in commit 3e3171b59028.
Changes
tags Status-Started Milestone-0.9
MattJ
on
Assigned CVE-2018-10847.
Distribution security contacts notified.
Embargo until 2018-05-31.
What steps will reproduce the problem? 1. Set up Prosody with at least two VirtualHosts, at least one of which has the SASL ANONYMOUS mechanism enabled and at least one of the remainder does not 2. Disallow users on an anonymous VirtualHost from sending stanzas to remote addresses 3. Connect a client to the anonymous VirtualHost and complete authentication with <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="ANONYMOUS"/> 4. Reset the stream but with the "to" attribute addressed to a VirtualHost which neither has SASL ANONYMOUS enabled nor disallows remote stanzas from being sent 5. Bind a resource as normal 6. Attempt to send remote stanzas What is the expected output? Prosody doesn't allow me to switch to a more privileged VirtualHost from one that disallows remote stanzas (or switch hosts at all for that matter) What do you see instead? Prosody routes stanzas normally as though I were connected to a legitimate, authenticated account on the main VirtualHost (albeit with a randomly generated localpart) What version of the product are you using? On what operating system? 0.10.1 on GNU/Linux Please provide any additional information below. I tested the "new account" and discovered that stanzas addressed to the temporary account were ignored (not routed to the account) unless it was an error stanza
Thanks for the report. We have developed a test case and verified the issue. This appears to have been introduced in commit 3e3171b59028.
ChangesAssigned CVE-2018-10847. Distribution security contacts notified. Embargo until 2018-05-31.
ChangesEmbargo ended. 0.10.2 and 0.9.14 as been released. https://prosody.im/security/advisory_20180531/ Thanks again for the report.
ChangesHiddenStatus-Fixed