Miranda TLS MitM with XMPP/Jabber protocol

[Jan Schejbal <jan.mailinglisten () googlemail com>]

The Miranda IM instant messaging software silently falls back to 
unencrypted connections if a Jabber/XMPP server does not report that it 
supports TLS, even if "Use TLS" is checked. This allows an active 
attacker to perform MitM attacks on Jabber/XMPP connections which the 
user assumes to be secure.

Proof of concept MitM server attached.

Miranda IM team was notified via bugtracker. Issue was closed without 
being fixed, probably because of confusion with another, similar issue 
(posted here before, seemingly unrelated configuration settings could 
completely disable TLS, that one was fixed). I commented twice that this 
bug is not fixed, but no response was seen.

Workaround: Use SSL.

Attachment: mirandamitm.pl
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/