Hi,
On Mar 25, 2006, at 6:32 AM, Robert B Quattlebaum, Jr. wrote:
I was thinking the other day about a specific type of denial-of-
service attack which may possibly affect a number of servers in
active use today.
Imagine a c2s connection that has already been set up and is now
moving top-level stanzas. What would happen if I sent
<message to="[EMAIL PROTECTED]"><body>
Followed by a stream of random UTF-8 characters? Assuming that
those random characters do not happen to contain <, >, or &, (which
is pretty easy to ensure), I would imagine that the process which
has the XML parser would get larger and larger until the process
would run out of memory. Boom.
This attack (in spirit) doesn't require a fully established jabber
stream, it only needs an opportunity to inject a large amount of
data into an XML element that is inside of a top-level stanza. This
attack could possibly work for attributes as well.
Limiting the size of a single stanza may or may not fix the
problem, depending on implementation. If the stanza size filter is
applied to the stanza after it has been parsed, then this isn't
good enough--the attack will still be successful because the stanza
will never finish parsing. However, if the parser kept track of how
large the stanza was getting as it was parsing it, then this attack
can be avoided.
Any thoughts, or other methods of preventing this attack from being
successful? Or has this already been considered and "fixed"?
Another variant:
open a tcp connection to an jabber server, and send a
<streeeeeeeeeam> stanza, making sure you use a lot of 'e's.
Unless your XML parser has DoS detection and prevention, like over-x-
bytes node names, attributes, value and data, you are vulnerable to
these.
Best regards,
--
HIId: Pedro Melo
SMTP: [EMAIL PROTECTED]
XMPP: [EMAIL PROTECTED]
