#1381 Dialback without dialback arbitrary host impersonation
Reporter
Zash
Owner
Zash
Created
Updated
Stars
★ (1)
Tags
Status-Fixed
Security
Type-Defect
Milestone-0.11
Priority-High
Zash
on
What steps will reproduce the problem?
0. A remote server with `dialback_without_dialback = true` set
1. Establish outgoing s2s connection with certificate authentication
2. Send <db:result id='x' to="victim.example" from="impersonated.example"/>
What is the expected output?
Rejected because no valid certificate for 'impersonated.example' and eventually failed dialback.
What do you see instead?
<db:result id='x' type='valid' to='impersonated.example' from='victim.example'/>
What version of the product are you using?
Affects 0.10.0 until current trunk.
Please provide any additional information below.
mod_dialback with d-w-d enabled passes the hostname to be authenticated to function
`check_cert_status(session)` that uses `session.from_host` or `.to_host` as identity to validate the certificate against.
Thus if this is done on a connection already authenticated via certificate, future attempts will always succeed.
What steps will reproduce the problem? 0. A remote server with `dialback_without_dialback = true` set 1. Establish outgoing s2s connection with certificate authentication 2. Send <db:result id='x' to="victim.example" from="impersonated.example"/> What is the expected output? Rejected because no valid certificate for 'impersonated.example' and eventually failed dialback. What do you see instead? <db:result id='x' type='valid' to='impersonated.example' from='victim.example'/> What version of the product are you using? Affects 0.10.0 until current trunk. Please provide any additional information below. mod_dialback with d-w-d enabled passes the hostname to be authenticated to function `check_cert_status(session)` that uses `session.from_host` or `.to_host` as identity to validate the certificate against. Thus if this is done on a connection already authenticated via certificate, future attempts will always succeed.
Whole D-W-D feature removed in https://hg.prosody.im/trunk/rev/d0e9ffccdef9 A fix can be seen in https://hg.prosody.im/trunk/rev/6be890ca492e but overall confidence with the workings of the feature, along with low likelihood of being used led us to remove it instead.
ChangesHiddenMilestone-0.11 Status-Fixed