Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#7024 closed defect (fixed)

Insecure loading of code over network

Reported by: ioerror Owned by: vardo
Priority: high Milestone: 0.15
Component: plugin system Version:
Severity: critical Keywords: security privacy
Cc: aagbsn@…, flo@… Blocked By:
Blocking: OS: All

Description

Bug description

When using the plugin "plugin installer" to install the OTR plugin, I noticed that Gajim loads code over the network. It does this over FTP without any encryption, authentication or integrity checking. A MITM attacker could leverage this bug to get code execution. At the very least, I would like this to be a TLS connection that only allows the connection if the fingerprint of the remote server is exactly as is expected - no CA nonsense, no concern for scale, just a fail closed method.

Additionally, I'd like to ensure that if this plugin touches the network, I'd like it to use a global proxy as suggested in #7023.

Steps to reproduce

Use the plugin installer plugin - use Wireshark to observe FTP transaction - hope no one replaces the code and roots your machine.

Software versions

This is current as of Gajim changeset: 13361:edee1e4ca03a

Attachments (1)

plugin_installer.py.vc.diff (1.0 KB) - added by Dicson 5 years ago.

Download all attachments as: .zip

Change History (11)

comment:1 follow-up: Changed 5 years ago by aagbsn

  • Cc aagbsn@… added

Are the plugin files reachable over HTTPS anywhere? I couldn't find anything on the website. HTTPS would be better than FTP. Unfortunately it looks like the SSL certificate presented for https://www.gajim.org has a CN of trac.gajim.org, so I get a certificate error. I've raised this as separate issue here: #7040

Changed 5 years ago by Dicson

comment:2 Changed 5 years ago by Dicson

ftp tls connection patch added. but we need reconfigure ftp server

comment:3 in reply to: ↑ 1 Changed 5 years ago by Dicson

Replying to aagbsn:

Are the plugin files reachable over HTTPS anywhere?

https://trac-plugins.gajim.org/browser

comment:4 Changed 5 years ago by ioerror

Please ensure that you guys pin to the SSL cert that you expect - as I understand things ( https://trac.gajim.org/wiki/PersonalJunglecow ) with the ssl stack, keys and ssl/tls are sorta a mess.

If you hard code the fingerprint for the key expected or the ssl CA that you expect, it will at least mean that a MITM can't load code.

Good job on adding TLS quickly!

comment:5 Changed 5 years ago by Flow_

  • Cc flo@… added

comment:6 Changed 5 years ago by Dicson

I test this patch with my vsftpd server. I add lines to vsftpd.conf:

ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
require_ssl_reuse=NO

I am not security expert, but installer works

comment:7 Changed 5 years ago by asterix

I'm trying to generate a certificate, but for the moment I have problems with startssl ... Waiting for their reply.

comment:8 Changed 5 years ago by asterix

got it working on ftp.gajim.org and tested your patch: it works. Could you push it please?

comment:9 Changed 5 years ago by Fomin Denis <fominde@…>

  • Milestone set to 0.15
  • Resolution set to fixed
  • Status changed from new to closed

(In [5dd92328985d]) plugin_installer. use TLS connection. fixes #7024

comment:10 Changed 4 years ago by Fomin Denis <fominde@…>

(In [df91bb577978]) plugin_installer. use TLS connection. fixes #7024

Note: See TracTickets for help on using tickets.