Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

0

Share

Download to read offline

Hash length extension attacks

Download to read offline

My attempt to explain a fun attack I recently learned about - no claim to anything new here!
Video of presentation at https://www.youtube.com/watch?v=3R_q5XD-RJU.
Thanks go to Soroush @irsdl.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Hash length extension attacks

  1. 1. Hash Length Extension Attacks Jerome Smith CamSec April 2017
  2. 2. Introduction • An application uses this scheme as an integrity check: hash($secret + $message) // where + denotes concatenation • Whenever the message is potentially subject to interference, the hash is sent alongside • The theory goes that any message tampering will be detected • But this is potentially vulnerable to a “hash length extension attack” • Secret prefix • Attacker knows message and hash • Vulnerable algorithm, e.g. MD5, SHA-1, SHA-256, SHA-512 (not SHA-384) • Thanks to Soroush Dalili @irsdl
  3. 3. What makes a hash vulnerable? • The hash algorithm chews on the input • At the end, the internal state of the hash algorithm is the hash it spits out • We can set the internal state of the hash algorithm to start from this point • We can then feed in more input • We now have a hash for a longer message that starts with the original input • It doesn’t matter if the input began with a secret, we don’t need to know it
  4. 4. Exploitation • Sounds great, doesn’t it? POST /transfer HTTP/1.1 account_from=10203040&account_to=90807060&amount=100&hash=AABBCC112233 // where hash = MD5("SECERET1020304090807060100") • So we set our MD5 state to AABBCC112233, feed in a 0 and get a new hash • This will “validate”: account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 // where hash = MD5("SECERET10203040908070601000") • Unfortunately it’s not that simple
  5. 5. Deep dive • MD5 is a block-based algorithm • Padding is used to prepare the input before it’s digested • Different algorithms use different schemes • Take a message M • The input that MD5 works on is: M + PADDING + LENGTH_OF_M • This will be some whole number of blocks in length • What does that mean for our attack?
  6. 6. What’s really going on account_from=10203040&account_to=90807060&amount=1000&hash=DDEEFF445566 • We’d like hash = MD5("SECERET10203040908070601000") • When we run our hash length extension attack, the input to the hash is really: "SECERET1020304090807060100" + PADDING + LENGTH + "0" + PADDING + LENGTH • The “message” we have a valid hash for is: "SECERET1020304090807060100" + PADDING + LENGTH + "0" • The app is checking hash($secret + $account_from + $account_to + $amount) • We need to preserve account_from=10203040&account_to=90807060 • So that leaves amount="100" + PADDING + LENGTH + "0" • The first PADDING + LENGTH was originally “metadata”: it’s now part of the data • The crafted input isn’t tolerated in context
  7. 7. Demo • That’s not to say it can never work seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd74 0683e182f0 // where hash = MD5($secret + $seller_id + $reference + $amount) = MD5($secret + "1234widget145.20") = MD5($secret + "1234widget145.20" + PADDING + LENGTH) • So what about seller_id=1234&reference=widget145.20PADDINGLENGTH&amount=0.99&hash=398e6 d69a7fdf27744bd55cfdfc9fdb4 = MD5($secret + "1234widget145.20" + PADDING + LENGTH + "0.99") • This will work if the app accepts the weird reference value • https://github.com/iagox86/hash_extender ./hash_extender --data 1234widget145.20 --secret-min 8 --secret-max 12 -- append 0.99 --signature 75b145717ad82cfefdcd740683e182f0 --format md5
  8. 8. Final Thoughts • Not always exploitable – but when it is, impact can be high • Tricky to find in a pure black box test • If the hash scheme used a delimiter, the attack would still work • Just makes it harder to find – need to know delimiter as well • But it would stop a simpler attack: seller_id=1234&reference=widget&amount=145.20&hash=75b145717ad82cfefdcd 740683e182f0 seller_id=1234&reference=widget1&amount=45.20&hash=75b145717ad82cfefdcd 740683e182f0 • Secret suffix is vulnerable due to collisions • https://rdist.root.org/2009/10/29/stop-using-unsafe-keyed-hashes-use-hmac/ • We’ve already solved the MAC problem • “Length Extension Attacks” Burp App – not tested
  9. 9. 9 Questions?

My attempt to explain a fun attack I recently learned about - no claim to anything new here! Video of presentation at https://www.youtube.com/watch?v=3R_q5XD-RJU. Thanks go to Soroush @irsdl.

Views

Total views

6,989

On Slideshare

0

From embeds

0

Number of embeds

1,341

Actions

Downloads

41

Shares

0

Comments

0

Likes

0

×