| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Sep 2011 22:37:47 +0200 From: Boldizsar Bencsath <boldi@...l2005.etl.hu> To: bugtraq@...urityfocus.com Subject: secureURL.php design flaws CrySyS Lab Security Advisory - secureURL.php design flaws Affected Software: secureURL 2.0 by Nguyen Quoc Bao URL e.g. http://www.phpclasses.org/package/2556-PHP-Encrypt-the-parameters-passed-in-link-URLs.html Product description: secureURL encrypts URL parameters and additionally protects it by checksum, thus an attacker cannot see the 'real' GET parameters of the website and disables malcious parties to fabricate modified URL parameters. The checksum protection is optional. Vulnerability: Design flaws make it possible to find out hash of the secret used for URL generation. The problem enables malicious parties to calculate checksum over fabricated URL parameters. The design flaws render the system ineffective against attacks and gives only false sense of security. Found by: BME CrySyS Lab, B. Bencsath, L. Buttyan, G. Pek; www.crysys.hu 1. Problem description 1.1. Decryption attack by known cleartext-ciphertext pairs secureURL.php encryption mechanism for URL parameters uses simple XOR operation for protecting URLs. The key used for the XOR is the md5 sum of the user defined key. The parameters are passed in Base64 format. In function crypt($text,$key): $key = md5($key); ... ($crypt .= chr(ord($text[$i]) ^ ord($key[$j])); The usage of XOR makes the system prone to basic attacks. Let's consider a known crypt URL. The attacker can educated guess or by other means (access to source code, other side channels) can find the cleartext parameter pair for the known crypt URL thus a known cleartext-ciphertext pair is available to him or her. Because of the properties of the XOR operation, the attacker can easily calculate the values of the key buffer (the value of the md5 sum of the key). $key[$i]= chr(ord($crypt[$i])) ^ chr(ord($text[$i]); Of course, the original key cannot be recovered by this, but any other URL can be decrypted by this information. 1.2. Attacks against checksum protection if hash of the secet is known In 1.1. the attacker can identify the hash of the key, but not the hash itself. However, due to the other design flaw, the information about the hash of the key is enough to falsify or fabricate URL parameters. The corresponding PHP code for the operation in function hash($text) is: return dechex(crc32(md5($text) . md5($this->key))); If md5(key) is known, and it is from attack 1.1, then the attacker can construct proper "hash" for any fabricated URL in this step without knowing the original key itself. 1.3. How long URL is needed for attack 1.1? The XOR uses only the hex string representation of the MD5 hash of the string, therefore it is 32 characters long but each character represents only a nibble (4 bits) of the hash. Therefore, for obtaining all the bits of the key at least 32-byte long cleartext-ciphertext pair is needed. If the URL is longer than 32 bytes, then the encryption reuses the same key string. 1.4. What if parts of the key is missing It can happen, that parts of the known cleartext-ciphertext pair is missing as the attacker does not have anough information on that (e.g. last 2 bytes or such). Considering that the attacker cannot guess some bits, but the checksum function is in use, the attacker can go for a brute-force search for the missing bits. The search ends if the resulting checksum is correct for the case and the server accepts it. By this technique, the missing bits can be found and used up onwards. 2. Fix To fix the solution, a redesign should be done. Instead of XOR and CRC32, cryptographically secure functions should be used (AES, SHA-256), and design should consider attacks. A variety of schemes are available in related books. The MD should not be based on the same key as the encryption. They can be originated from the same secret, but with proper technique. For hash, a shortening of HMAC scheme can be considered. The key should not be the same that is used for encryption. 3. History The problem was discovered during security analysis of a real-life system. The author is notified simultaneously with this advisory. -- Boldizsar BENCSATH Laboratory of Cryptography and Systems Security http://www.crysys.hu/ Budapest University of Technology and Economics Tel: +36 1 463 3422; Fax: +36 1 463 3263;
Powered by blists - more mailing lists