[jdev] XMPPloit

Kevin Smith kevin at kismith.co.uk
Thu Aug 16 11:48:50 UTC 2012

On Thu, Aug 16, 2012 at 12:36 PM, Pedro Melo <melo at simplicidade.org> wrote:
> Hi,
> On Thu, Aug 16, 2012 at 11:12 AM, Kevin Smith <kevin at kismith.co.uk> wrote:
>> On Thu, Aug 16, 2012 at 10:50 AM, Pedro Melo <melo at simplicidade.org> wrote:
>>> came across this today and I haven't seen it mentioned here:
>>> http://www.pentestit.com/xmpploit-tool-attack-xmpp-connections/
>>> I haven't tested it yet, and the article is strong on claims and light
>>> on explanations on how it works, so take it with a grain of salt.
>> The claims they make seem sensible - everyone's known about the
>> possibility of such downgrade attacks since forever - which is why
>> clients generally won't allow both PLAIN and non-TLS at the same time.
>> What clients really need to do is cert pinning and mech pinning to
>> prevent these exploits in all but the first-login case.
> Yes. The author as a small demo video screencast of the tool in action here:
> http://www.ldelgado.es/index.php?dir=aplicaciones/xmpploit
> The initial plain-text part of the XMPP handshake will allow a MITM
> attack to downgrade the security. Only cert and mech pinning would
> work here.

It'll allow it to downgrade to no-TLS, but not to PLAIN, as clients
shouldn't be allowing PLAIN over connections without TLS.

But yes, pinning (or something similar) is the right solution to this.

> Didn't someone suggested a TXT DNS record for this sometime ago,
> mentioning the required methods and cert sig?

I don't recall - but for this attack to work you need to have already
compromised either routing or DNS - so in either case it wouldn't


More information about the JDev mailing list