[standards-jig] S5B vulnerability

Jacek Konieczny jajcus at bnet.pl
Sun Dec 7 10:00:34 UTC 2003


On Sat, Dec 06, 2003 at 09:52:13PM -0800, Justin Karneges wrote:
> Client A wishes to contact Client B, and sends an S5B iq packet containing 
> 123.123.123.123 and 192.168.0.32 as streamhosts.  Client C, the attacker, 
> simply needs to set his machine's IP address to the same as Client A.  When 
> Client B tries to connect to 192.168.0.32, it will end up connecting to the 
> attacker.  Because the SOCKS authentication is not mutual, the attacker does 
> not have to worry about providing any credentials to the target.

SOCKS5 Bytestreams don't use regulare SOCKS proxy, but special one,
that uses Jabber <iq/> packets additionaly to SOCKS user/password for
stream authentication. This what attacker would need also to spoof JID
used by ClientA, which is not that easy.

Greets,
        Jacek



More information about the Standards mailing list