XMPP Service Operators - 2021-12-10


  1. ernst.on.tour

    Somebody working with apache and/or log4j ? Have a look about CVE2021-44228 Will kill my weekend 😕

  2. MattJ

    Confirmed that Tigase is not vulnerable, but I haven't looked into Openfire

  3. Wojtek

    yeah, we don't use log4j

  4. moparisthebest

    I thought people switched to logback ages ago, apparently not

  5. jonas’

    thinking that people upgraded ages ago is always dangerous

  6. TheCoffeMaker

    Thinking is dangerous (?) 🤣

  7. jonas’

    ~thinking~ that people upgraded ages ago is always a dangerous assumption

  8. jonas’

    TheCoffeMaker, there I fixed it ;)

  9. TheCoffeMaker

    lol

  10. MattJ

    Openfire apparently vulnerable: https://discourse.igniterealtime.org/t/openfire-4-6-5-released/91108

  11. MattJ

    That will be fun. There are a lot of poorly-maintained Openfire installations around...

  12. tom

    openfire still works?

  13. tom

    when I try to open the client it just is a blank white window

  14. Sapotaceae

    The log4j vuln is already being abused in wild

  15. ernst.on.tour

    Yeah, just leave company after 16h of work, colleags will stay. My turn will be tomorrow again. There are pictures of hacking Amazon and other big players, seems to be a big impact. Each jar which will use log4j and open a port will possible be attack-able

  16. moparisthebest

    I guess we could exploit the openfire bug to upgrade openfire for them

  17. MattJ

    Not the first time such a suggestion has been made about Openfire :P

  18. MattJ

    Though it's been a while

  19. moparisthebest

    https://twitter.com/cyb3rops/status/1469343827228086278 accurate

  20. Martin

    Has Openfire a bad record?

  21. MattJ

    The biggest one was the failure to check the username of password changes. In XMPP you send a <username>youruser</username><password>new-password</password>, but Openfire didn't check that the username was your username

  22. MattJ

    So you could set any user's password, including the default 'admin' account

  23. MattJ

    Which in turn could be used to log into the web admin that it served by default

  24. moparisthebest

    That's awesome

  25. MattJ

    Combine that with the numerous web interface flaws and the fact that many Openfire admins just run it as root (or Windows equivalent), and... yeah

  26. moparisthebest

    Actually the main npm registry just had the same bug

  27. mathieui

    https://twitter.com/kikta/status/1469388635954978822 love it

  28. mathieui

    Oops wrong MUC my bad (still relevant but unintended)

  29. tom

    java?

  30. Menel

    > in the case of Minecraft, attackers were able to get remote code execution on Minecraft servers by simply pasting the malicious string into the chat box. Everything is just broken.. We always have to remind ourselfs.

  31. kahlb

    Probably relevant for those worrying about jog4j: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

  32. Maranda

    Huhu I vaguely recall there's a lot of java into Ubiquiti firmware...

  33. Maranda

    That's gonna be fun.

  34. kahlb

    I've never seen a vuln that is so critical and so easy to exploit. Compared to this, Heartbleed was rocketscience and more limited in it's impact. We're gonna be veeeery busy with this one for the next months...

  35. MattJ

    In fairness Heartbleed was quite a bit more widespread, as the "market share" of OpenSSL is quite large, covering most things that do TLS

  36. MattJ

    Many systems don't run Java services, and those that do don't necessarily run log4j (of the 2 publicly-accessible Java services I admin, neither use log4j)

  37. tom

    I really want to have a centralized password/login management across my xmpp server, dovecot imap, INN nntp, and ssh unix system

  38. tom

    is ldap the way to do that?

  39. tom

    i'm not familar with ldap

  40. MattJ

    LDAP is probably the best way to do that, yes... everything supports it

  41. ij

    can confirm

  42. tom

    also, is there a way with such a centralized login system to only allow certain users or groups access to say, xmpp servce, ssh shell accounts, imap, and network news?

  43. tom

    Is there any good resources you can point me to for getting started with it then?

  44. tom

    at least understanding the system

  45. ij

    you can use groups and ldap filters to limit access to certain groups

  46. tom

    if i'm understanding right, ldap isn't used alone. it's part of a large openldap+kerberous+session tickets system yes?

  47. moparisthebest

    tom: I do that with accounts in a SQL database

  48. tom

    I've done that before with a sql database and a python library

  49. tom

    but it becomes a bit trickey when you want to use existing software, or not just validate passwords but have things like session tickets and only allow access to some systems

  50. moparisthebest

    Nginx, prosody, dovecot, postfix, nextcloud etc etc all use the same user+pass

  51. ij always sees messages from tom twice… hmmm

  52. tom

    ij, no idea why looks normal from my side

  53. moparisthebest

    Each account has a Boolean column that grants/denies access to each service

  54. tom

    but then how do you handle other attributes, like homedirectory, unix user groups,

  55. tom

    gecos

  56. tom

    nicknames

  57. tom

    allowed email FROM addresses

  58. moparisthebest

    tom: I use postfixadmin which handles all that, I added the other columns for XMPP and http etc later

  59. Martin

    > The biggest one was the failure to check the username of password changes. In XMPP you send a <username>youruser</username><password>new-password</password>, but Openfire didn't check that the username was your username > So you could set any user's password, including the default 'admin' account > Which in turn could be used to log into the web admin that it served by default 😳

  60. moparisthebest

    Same exact bug https://github.blog/2021-11-15-githubs-commitment-to-npm-ecosystem-security/#security-issues-related-to-the-npm-registry

  61. tom

    does anyone know of a good guide for getting started with openldap central authentication?