The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Re[2]: Apache web server 2.2: htpasswd predictable salt weakness


<< Previous INDEX Search src / Print Next >>
Date: Sat, 16 Feb 2008 19:10:03 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU.>
To: Peter Watkins <peterw@usa.net.>
Subject: Re[2]: Apache web server 2.2: htpasswd predictable salt weakness
In-Reply-To: <20080215160710.A30917@gwyn.tux.org.>
References: <20080213215517.A17442@gwyn.tux.org.>
 <1349708474.20080215204408@SECURITY.NNOV.RU.>
 <20080215160710.A30917@gwyn.tux.org.>
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: antivirus-gw at tyumen.ru

Dear Peter Watkins,

PW> I don't know how small the salt universe would need to be before
PW> precomputing dictionaries would be worthwhile (vs. having a botnet on=
ly work
PW> on crypted passwords already captured), but certainly the obviously w=
eak
PW> srand(time(NULL)) code only helps the black hats. And with modern OSe=
s
PW> providing reasonably good entropy sources, there's little reason not =
to
PW> "do it right". It's not the worst mistake I've seen, by far not the m=
ost
PW> dangerous. But it's sloppy of the Apache Group to have ignored it for=
 half
PW> a decade.

It's  quite  easy.  Precomputing  rainbow table for MD5 crypt with known
salt  is somehow equivalent to MD5 crypt bruteforcing, if you don't mind
about required amount of storage. So, predictable salt and narrowed salt
space  will  have  some impact if salt changes in a time comparable with
time required for bruteforcing. Salt changing once in a second is really
good one, because bruteforcing takes much longer.

The  only  situation I can imagine predictability is significant, is you
can  predict with precision of few seconds a time of password generation
in  a password file you will steal next week/month. In this case you can
start to build rainbow table :)



--Saturday, February 16, 2008, 12:07:10 AM, you wrote to 3APA3A@SECURITY.=
NNOV.RU:

PW> On Fri, Feb 15, 2008 at 08:44:08PM +0300, 3APA3A wrote:

>> PW> As a result:
>> PW>  - Salts created by htpasswd are very predictable.=20
>> PW>  - The universe of salts for htpasswd is far less than the MD5 alg=
orithm
>> PW>    provides for -- 29 bits vs. 48, or 0.000191 percent of the rang=
e that
>> PW>    should be used for MD5.
>>=20
>> As  far  as I understand, salt predictability gives nothing to you. Sa=
lt
>> protects  against  rainbow  tables  attacks in case stored passwords a=
re
>> stolen. Salt is stored with password, that is salt is known to attacke=
r.
>> All you need for salt is to be different for different passwords and f=
or
>> different  systems.  That is 175, 176, 177 etc are pretty good salts f=
or
>> sequentially generated passwords in case 175 is apriory unknown.
>>=20
>> Salt universe is more important, but 29 bits against 48 is not somethi=
ng
>> scaring.
>>=20
>> May be I am missing something?

PW> A naive attacker might look at the Apache APR1 MD5 spec and decide no=
t to
PW> bother precomputing tables for 2^48 salts. But with the htpasswd weak=
ness,
PW> fewer than 2^25 salts are used in an entire year; fewer than 2^21 in =
a given
PW> month. I can't imagine anybody wasting a botnet's computing resources=
 now on
PW> building 2^48 attack tables, but the more that number drops, the more=
 sense
PW> it would make for someone controlling thousands of machines to work o=
n an
PW> attack table. Got ten thousand machines? If each one builds tables fo=
r
PW> about 3400 salts, that's a full year covered. Sure is easier than hav=
ing each
PW> host work on 28 billion salts.=20

PW> I don't know how small the salt universe would need to be before=20
PW> precomputing dictionaries would be worthwhile (vs. having a botnet on=
ly work
PW> on crypted passwords already captured), but certainly the obviously w=
eak
PW> srand(time(NULL)) code only helps the black hats. And with modern OSe=
s
PW> providing reasonably good entropy sources, there's little reason not =
to
PW> "do it right". It's not the worst mistake I've seen, by far not the m=
ost
PW> dangerous. But it's sloppy of the Apache Group to have ignored it for=
 half
PW> a decade.

PW> One thing that bothers me about this issue is that many developers le=
arn
PW> from reading others' code, and since the Apache Group is held in such=
 high
PW> esteem by so many, the bad srand() code in htpasswd.c is likely to le=
ad some
PW> programmers astray.=20

PW> This reminds me of the incident last year with Simson Garfinkel getti=
ng all
PW> defensive about an insecure function in some of his source code. Sims=
on didn't
PW> need to fix the code -- as he pointed out, it wasn't actually used in=
 the
PW> final app -- but he didn't bother removing it, either (it's still the=
re
PW> today). Both Simson's behavior then (which I found terribly distastef=
ul --
PW> the demand for a retraction, the smug mocking of the individual who r=
aised the
PW> issue[0]) and the Apache Group's inaction now should serve as reminde=
rs that
PW>  1) everybody makes mistakes=20
PW> and=20
PW>  2) even those with the best reputations sometimes handle mistakes po=
orly

PW> -Peter

PW> [0]
PW> http://www.securityfocus.com/archive/1/archive/1/467181/100/0/threade=
d


--=20
~/ZARAZA http://securityvulns.com/
=C2 =F0=E0=F1=F7=E5=F2=E0=F5 =E1=FB=EB=E0 =EE=F8=E8=E1=EA=E0.  (=CB=E5=EC=
)



<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру