XMPP Stanza Smuggling or How I Hacked Zoom

Stanza smuggling attacks are a dangerous and underexplored attack surface in XMPP protocol that can be found using fuzzing. These attacks can lead to message spoofing, interception of private communication, and even zero-click RCE.

• Stanza smuggling attacks are a dangerous and underexplored attack surface in XMPP protocol
• Fuzzing can be used to find these types of attacks
• Stanza smuggling attacks can lead to message spoofing, interception of private communication, and even zero-click RCE

The speaker demonstrated a zero-click RCE attack on Zoom using stanza smuggling. The attack involved intercepting the victim's communication and launching a payload in the background after the victim updated Zoom. Instead of launching the updated version of Zoom, the victim's computer launched a calculator. This attack was possible due to a vulnerability in the XMPP protocol that allowed for stanza smuggling.

XMPP is a popular instant messaging protocol based on XML that is used in messengers, online games and other applications. This talk will introduce a new way of attacking XMPP client software: XMPP stanza smuggling. More specifically, it will show how seemingly subtle quirks in XML parsing can be exploited to "smuggle" attacker-controlled XMPP control messages to the victim client and how the design of the XMPP protocol makes it especially susceptible to such issues. It will be demonstrated how such issues led to 0-click remote code execution in the Zoom client. While Zoom is used as an example throughout the talk and to demonstrate the maximum impact achievable, the XMPP bugs presented are not specific to Zoom.