[standards-jig] S5B vulnerability

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Sun Dec 7 05:52:13 UTC 2003


It seems that it is possible to hijack a connection rather easily with S5B 
when there are two private networks involved.

------
Network 1 - external: 123.123.123.123, internal: 192.168.0.x
Client A - 192.168.0.32
------

------
Network 2 - external: 213.213.213.213, internal: 192.168.0.x
Client B - 192.168.0.40
Client C - 192.168.0.32
------

Client A wishes to contact Client B, and sends an S5B iq packet containing 
123.123.123.123 and 192.168.0.32 as streamhosts.  Client C, the attacker, 
simply needs to set his machine's IP address to the same as Client A.  When 
Client B tries to connect to 192.168.0.32, it will end up connecting to the 
attacker.  Because the SOCKS authentication is not mutual, the attacker does 
not have to worry about providing any credentials to the target.

Please correct me if I am wrong.

-Justin



More information about the Standards mailing list