Chat server fuzzing, Part 1. The Beginning

This article (along with subsequent articles) will cover thejourney I've taken in learning about the XMPP (eXtensible Messaging andPresence Protocol) standard and how I used that knowledge to fuzz variousservers, starting with the eJabberd server available from the ejabberdcommunity. The ejabberd server is also supported by a for profit company.

When installing the chat server on a public facing interfaceyou want to make sure that it is secure. And one way to verify that is toperform black box fuzzing. Fuzzing for those who are unaware is the process ofsubmitting invalid or random data to a server application using an automatedtool. This process will allow the security researcher to identify variousdefects in how the application handles each of those inputs. Crashing theapplication as a result of the problematic data usually indicates that there isa defect within the program, which could possibly be exploited by a bad actor.

The first step of this long and arduous path begins with asingle installation of the eJabberd chat server. eJabberd is written in erLang,which is an unusual choice for a chat server since most tend to be written in javaand sometimes in C\C++. The latest version of the server is available from theeJabberd web site located here and it wasa matter of downloading the installer and then running it. A few minutes laterI had a functioning XMPP server up and running.

The next step was to verify that my chat software couldconnect to it. This would ensure that I had correctly installed the server andthat it was functioning normally. I used two clients, iChat from Apple andAdium from the Adium Team. I ran both clientssimultaneously and could send messages between them. So far everything seemedon the "up and up."

Now to the good stuff, I hoped. I downloaded the tools xmpp-fuzzerand gizmo from Google Code. Three years ago, Ava LaTrope first released thegizmo tool at DEF CON 17, you can see her presentation on YouTube, and the xml-fuzzerwas found through a google search. However, right off the bat I ran into problemswith the xmpp-fuzzer, it seems it was not compatible with my 64 bit OS Xinstallation. So I had to download and rebuild it from source, which includedgetting the appropriate Java bits, like the SWT library. What a pain in theneck it was to get this to build. But after struggling with variousconfiguration issues, I was able to get it to finally build and run.

At this time I pointed the fuzzer towards my local versionof eJabberd and hoped for the best. I waited and waited, and nothing. Seemsthat the xmp-fuzzer wasn't as robust as the "Prototype 0.1" label led me tobelieve. So I decided to re-evaluate my decision to go with the prototypicalxmpp fuzzing tool. I was aware that there are several other tools out there,including Peach and Sulley that will support fuzzing the XMPP server once the properconfiguration (magic) incantations are made. So I put the xmpp-fuzzer test on hold and began downloading Peach.

In part 2 of this series I will cover the installation andconfiguration of the Peach fuzzing platform and how I use it in my search forsuccessful XMPP fuzzing. Part 3 will cover the installation and configurationof the Sulley platform and a comparison with the Peach platform. Part 4 willfocus on other XMPP servers as well as a final attempt to get the original xmpp-fuzzertool to successfully fuzz a XMPP server. I also plan on using the gizmo tool to log and monitor my fuzzing efforts.

You may be wondering why I am spending all ofthis time on a single topic that has limited applicability to a large audience.The answer is that the XMPP standard has become so successful in its adoptionthat it has also started to go unnoticed in its ubiquity. For example, Googleand Facebook support it as well as AOL, Apache, Apple, Cisco, Oracle, Siemens, andYahoo along with hundreds of smaller companies. Even Skype is beginning tosupport the standard.

Stay tuned.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.