[standards-jig] S5B vulnerability

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Sun Dec 7 21:40:31 UTC 2003


On Sunday 07 December 2003 02:00 am, Jacek Konieczny wrote:
> On Sat, Dec 06, 2003 at 09:52:13PM -0800, Justin Karneges wrote:
> > Client A wishes to contact Client B, and sends an S5B iq packet
> > containing 123.123.123.123 and 192.168.0.32 as streamhosts.  Client C,
> > the attacker, simply needs to set his machine's IP address to the same as
> > Client A.  When Client B tries to connect to 192.168.0.32, it will end up
> > connecting to the attacker.  Because the SOCKS authentication is not
> > mutual, the attacker does not have to worry about providing any
> > credentials to the target.
>
> SOCKS5 Bytestreams don't use regulare SOCKS proxy, but special one,
> that uses Jabber <iq/> packets additionaly to SOCKS user/password for
> stream authentication. This what attacker would need also to spoof JID
> used by ClientA, which is not that easy.

The attacker does not need to send any iq packets.  The initiator sends the 
iq-set to the target.  The target, upon successful connection to the 
attacker, sends the iq-result to the initiator.

-Justin



More information about the Standards mailing list