XMPP Stanza Smuggling or How I Hacked Zoom

Presented at Black Hat USA 2022, Aug. 11, 2022, 11:20 a.m. (40 minutes)

XMPP is a popular instant messaging protocol based on XML that is used in messengers, online games and other applications.

This talk will introduce a new way of attacking XMPP client software: XMPP stanza smuggling. More specifically, it will show how seemingly subtle quirks in XML parsing can be exploited to "smuggle" attacker-controlled XMPP control messages to the victim client and how the design of the XMPP protocol makes it especially susceptible to such issues. It will be demonstrated how such issues led to 0-click remote code execution in the Zoom client.

While Zoom is used as an example throughout the talk and to demonstrate the maximum impact achievable, the XMPP bugs presented are not specific to Zoom.

Presenters:

• Ivan Fratric - Security Researcher, Google Project Zero
  Ivan Fratric is a security researcher at Google Project Zero, where he currently focuses on browser security, remote attack surfaces in applications and fuzzing. Previously, he worked on the Google Security Team and, before that, at the University of Zagreb where he also received his PhD. He has been publishing security research for over a decade and is the author of multiple open-source security tools.

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#xmpp-stanza-smuggling-or-how-i-hacked-zoom-26618

Similar Presentations:

• May Contain Hackers (MCH2022) / Hacking the pandemic's most popular software: Zoom
• DEF CON 17 (2009) / eXercise in Messaging and Presence Pwnage
• DEF CON 30 (2022) / You’re <strike>Muted</strike>Rooted