Re: phpBB Security Bugs

[Lucas Armstrong <lucas () cgishield com>]

In-Reply-To: <1045822791.7155.11.camel@fluffy>

Konrad,

This particular SQL Injection technique makes it possible to isolate each 
hex digit in the md5 hash, and allows you to guess that digit's particular 
value. Each digit would be guessed in 16 tries or less. Since there are 32 
digits in an md5 hash, there would be a maximum number of 512 guesses to 
determine any particular password hash. Again, the key to this exploit is 
isolating the guess to one digit at a time, then moving on to the next 
digit, not trying to guess the entire 32 digit string in one fell swoop 
which would indeed take an incredible amount of time.

-David

> Received: (qmail 7140 invoked from network); 21 Feb 2003 21:21:16 -0000
> Received: from outgoing2.securityfocus.com (HELO 
outgoing.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 21 Feb 2003 21:21:16 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing.securityfocus.com (Postfix) with QMQP
>       id C92968F312; Fri, 21 Feb 2003 14:08:51 -0700 (MST)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 28784 invoked from network); 21 Feb 2003 10:14:48 -0000
> Subject: Re: phpBB Security Bugs
> From: Konrad Rieck <kr () roqe org>
> To: Lucas Armstrong <lucas () cgishield com>
> In-Reply-To: <20030220203725.17263.qmail () www securityfocus com>
> References: <20030220203725.17263.qmail () www securityfocus com>
> Content-Type: multipart/signed; micalg=pgp-sha1; 
protocol="application/pgp-signature"; boundary="=-0ZL8FBpSXa43X82Mh7cZ"
> Organization: Roqefellaz
> Message-Id: <1045822791.7155.11.camel@fluffy>
> Mime-Version: 1.0
> X-Mailer: Ximian Evolution 1.2.2 
> Date: 21 Feb 2003 11:19:52 +0100
>
> --=-0ZL8FBpSXa43X82Mh7cZ
> Content-Type: text/plain
> Content-Transfer-Encoding: quoted-printable
>
> Hi Lucas & List,=20
>
> On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote:
> > If a correct password hash digit is guessed, the admin's name will show 
u=
> p=20
> > as an online user, in the online user list at the bottom of the forum=20
> > page. After the password hash is determined, it is then placed in the=20
> > cookie and access is granted to the site.
>
> I am just wondering... You are talking about guessing a 33-digit
> hexadecimal number?=20
>
> Even if there are 1.000 admin passwords in the hash-space and you
> succeed finding one after only searching 10% of space and you are
> checking about 1.000.000 hashs per second. You won't finish until the
> sun goes nova (which is rather impractical, especially for CPU-
> cooling).
>
> I believe this is a theoretical attack against phpBB 2.0, but maybe I
> missed some magic in the way phpBB generates these password hashs,
> acutally I haven't looked at the code.
>
> Regards,
> Konrad=20
>
> --=20
> Konrad Rieck <kr () roqe org> --------------------------------------------+
> Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub |
> Fingerprint: 5803 E58E D1BF 9A29 AFCA  51B3 A725 EA18 ABA7 A6A3 -------+
>
>
>
> --=-0ZL8FBpSXa43X82Mh7cZ
> Content-Type: application/pgp-signature; name=signature.asc
> Content-Description: This is a digitally signed message part
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (SunOS)
>
> iD8DBQA+Vf1HpyXqGKunpqMRAh1TAJ48vXc8N2Po090Mg4+bQv/lAH58ggCfXdJy
> przfiz56MEEYme82SH609mQ=
> =pl6H
> -----END PGP SIGNATURE-----
>
> --=-0ZL8FBpSXa43X82Mh7cZ--