lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 16 Sep 2014 17:03:19 +0700
From: Pichaya Morimoto <pichaya@...e.org>
To: fulldisclosure@...lists.org, submit@...sec.com
Subject: [FD] Laravel 2.1 Hash::make() bcrypt truncation

######################################################################
#  _     ___  _   _  ____  ____    _  _____
#  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
#  | |  | | | |  \| | |  _| |     / _ \ | |
#  | |__| |_| | |\  | |_| | |___ / ___ \| |
#  |_____\___/|_| \_|\____|\____/_/   \_\_|
#
# Laravel 2.1 Hash::make() bcrypt truncation
# Website : http://laravel.com/
# Author : @u0x (Pichaya Morimoto)
# Release dates : September 16, 2014
#
# Special Thanks to 2600 Thailand group
# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################

[+] Laravel
============================================================
Laravel is a free, open source PHP web application framework, designed for
the development of model–view–controller (MVC) web applications. According
to a December 2013 developers survey on PHP frameworks popularity, Laravel
is listed as the most popular PHP framework in 2013. At the same time, as
of August 2014 Laravel is the most popular and watched PHP project on
GitHub.
https://en.wikipedia.org/wiki/Laravel

[+] Description
============================================================
By using Laravel Security mechanism,
http://laravel.com/docs/security#storing-passwords
The passwords will be hashed using Laravel's Hash::make() function.
This function internally call PHP 's password_hash() without checking the
length.

Why do we need to check length? as PHP manual said,
"Using the PASSWORD_BCRYPT for the algo parameter,
will result in the password parameter being truncated
to a maximum length of 72 characters."
http://php.net/manual/en/function.password-hash.php

The problem occurs if users enter password longer than 72 characters
then the password will be truncated to be 72 characters.

This will result in pseudo hash collision.

[+] Proof-of-Concept
============================================================
// user input password
$input = str_repeat('A',72);
// plaintext password
$pass1 =
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.'mysupersecretpassword';
$pass2 =
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.'longcatishere';
// hashed password
$hash1 = Hash::make($pass1);
$hash2 = Hash::make($pass2);
// match?
$status1 = Hash::check($input, $hash1)?'Yes':'No';
$status2 = Hash::check($input, $hash2)?'Yes':'No';

User 1
Desc. Value
$input
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
$pass1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAmysupersecretpassword
Hash::make($pass1)
$2y$10$9oMcpTwHgTzR5ZUMqlnMMOx/P18QZ5e9054lq.pwxw1O9urX3JHHu
Hash::check($input, $hash1) Yes

User 2
Desc. Value
$input
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
$pass2
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlongcatishere
Hash::make($pass2)
$2y$10$W7wwB4nLmFjrenJGmx1uauqhjzikZNZA0qzxH8wkbiSmVatCYrAUm
Hash::check($input, $hash2) Yes

[+] Vulnerable Code
============================================================
/vendor/laravel/framework/src/Illuminate/Hashing/BcryptHasher.php

...
public function make($value, array $options = array())
{
...
$hash = password_hash($value, PASSWORD_BCRYPT, array('cost' => $cost));
...
return $hash;

[+] How to fix this?
============================================================
In Django project, they solved this problem by applying SHA256 before using
bcrypt
"BCryptSHA256PasswordHasher fixes this by first hashing the password using
sha256.
This prevents the password truncation"
https://docs.djangoproject.com/en/dev/topics/auth/passwords/#using-bcrypt-with-django

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ