#1147 Changing "to" address mid-negotiation causes privilege escalation from anonymous account to normal account

Reporter nonfreepizza
Owner MattJ
Stars ★ (1)
  • Priority-High
  • Status-Fixed
  • Security
  • Type-Defect
  • Milestone-0.9
  1. nonfreepizza on

    What steps will reproduce the problem? 1. Set up Prosody with at least two VirtualHosts, at least one of which has the SASL ANONYMOUS mechanism enabled and at least one of the remainder does not 2. Disallow users on an anonymous VirtualHost from sending stanzas to remote addresses 3. Connect a client to the anonymous VirtualHost and complete authentication with <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="ANONYMOUS"/> 4. Reset the stream but with the "to" attribute addressed to a VirtualHost which neither has SASL ANONYMOUS enabled nor disallows remote stanzas from being sent 5. Bind a resource as normal 6. Attempt to send remote stanzas What is the expected output? Prosody doesn't allow me to switch to a more privileged VirtualHost from one that disallows remote stanzas (or switch hosts at all for that matter) What do you see instead? Prosody routes stanzas normally as though I were connected to a legitimate, authenticated account on the main VirtualHost (albeit with a randomly generated localpart) What version of the product are you using? On what operating system? 0.10.1 on GNU/Linux Please provide any additional information below. I tested the "new account" and discovered that stanzas addressed to the temporary account were ignored (not routed to the account) unless it was an error stanza

  2. Zash on

    Thanks for the report. We have developed a test case and verified the issue. This appears to have been introduced in commit 3e3171b59028.

    • tags Milestone-0.9 Status-Started
  3. MattJ on

    Assigned CVE-2018-10847. Distribution security contacts notified. Embargo until 2018-05-31.

    • owner MattJ
  4. Zash on

    Embargo ended. 0.10.2 and 0.9.14 as been released. https://prosody.im/security/advisory_20180531/ Thanks again for the report.

    • tags Hidden Status-Fixed

New comment

Not published. Used for spam prevention and optional update notifications.