XSF Discussion - 2022-08-14

  1. Tobias

    https://www.blackhat.com/us-22/briefings/schedule/index.html#xmpp-stanza-smuggling-or-how-i-hacked-zoom-26618

  2. Menel

    Interesting. Is this the problem of using full xml librarys? Or is that something else

  3. Louis

    > Kev: right partial compliance is common. For example, everyone claims to support data forms just because they have a parser for it, maybe use it in ibr. But the xep allows for data forms being send in messages and tracked by thread ID... I've not found a client that supports that well yet. So do they "support" data forms or not? I would need the feature for staff to report.

  4. flow

    Menel, I wouldn't say so, the advantages of using an xml library is IMHO always outweigh the drawbacks

  5. moparisthebest

    Tobias: same one we talked about in may right? https://bugs.chromium.org/p/project-zero/issues/detail?id=2254

  6. moparisthebest

    Gloox is still vulnerable and the dev hasn't replied to email https://camaya.net/gloox/changelog/

  7. moparisthebest

    (luckily?) The only XMPP client we found that uses it is https://github.com/pulkomandy/Renga which, due to targeting Haiku, has limited users, but they are all still vulnerable to this day if using the wrong server

  8. moparisthebest

    It also likely doesn't have a "install this code" command like zoom...

  9. Guus

    Did someone create a set of susceptible XML snippets? That would be handy to implement more testing.

  10. Tobias

    moparisthebest: yes. Looks like the same. Just presented at black hat