('binary' encoding is not supported, stored as-is) In-Reply-To: <1045822791.7155.11.camel@fluffy> Konrad, This particular SQL Injection technique makes it possible to isolate each hex digit in the md5 hash, and allows you to guess that digit's particular value. Each digit would be guessed in 16 tries or less. Since there are 32 digits in an md5 hash, there would be a maximum number of 512 guesses to determine any particular password hash. Again, the key to this exploit is isolating the guess to one digit at a time, then moving on to the next digit, not trying to guess the entire 32 digit string in one fell swoop which would indeed take an incredible amount of time. -David >Received: (qmail 7140 invoked from network); 21 Feb 2003 21:21:16 -0000 >Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 21 Feb 2003 21:21:16 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id C92968F312; Fri, 21 Feb 2003 14:08:51 -0700 (MST) >Mailing-List: contact bugtraq-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraqat_private> >List-Help: <mailto:bugtraq-helpat_private> >List-Unsubscribe: <mailto:bugtraq-unsubscribeat_private> >List-Subscribe: <mailto:bugtraq-subscribeat_private> >Delivered-To: mailing list bugtraqat_private >Delivered-To: moderator for bugtraqat_private >Received: (qmail 28784 invoked from network); 21 Feb 2003 10:14:48 -0000 >Subject: Re: phpBB Security Bugs >From: Konrad Rieck <krat_private> >To: Lucas Armstrong <lucasat_private> >In-Reply-To: <20030220203725.17263.qmailat_private> >References: <20030220203725.17263.qmailat_private> >Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-0ZL8FBpSXa43X82Mh7cZ" >Organization: Roqefellaz >Message-Id: <1045822791.7155.11.camel@fluffy> >Mime-Version: 1.0 >X-Mailer: Ximian Evolution 1.2.2 >Date: 21 Feb 2003 11:19:52 +0100 > >--=-0ZL8FBpSXa43X82Mh7cZ >Content-Type: text/plain >Content-Transfer-Encoding: quoted-printable > >Hi Lucas & List,=20 > >On Thu, 2003-02-20 at 21:37, Lucas Armstrong wrote: >> If a correct password hash digit is guessed, the admin's name will show u= >p=20 >> as an online user, in the online user list at the bottom of the forum=20 >> page. After the password hash is determined, it is then placed in the=20 >> cookie and access is granted to the site. > >I am just wondering... You are talking about guessing a 33-digit >hexadecimal number?=20 > >Even if there are 1.000 admin passwords in the hash-space and you >succeed finding one after only searching 10% of space and you are >checking about 1.000.000 hashs per second. You won't finish until the >sun goes nova (which is rather impractical, especially for CPU- >cooling). > >I believe this is a theoretical attack against phpBB 2.0, but maybe I >missed some magic in the way phpBB generates these password hashs, >acutally I haven't looked at the code. > >Regards, >Konrad=20 > >--=20 >Konrad Rieck <krat_private> --------------------------------------------+ >Roqefellaz, http://www.roqe.org - PGP: http://www.roqe.org/keys/kr.pub | >Fingerprint: 5803 E58E D1BF 9A29 AFCA 51B3 A725 EA18 ABA7 A6A3 -------+ > > > >--=-0ZL8FBpSXa43X82Mh7cZ >Content-Type: application/pgp-signature; name=signature.asc >Content-Description: This is a digitally signed message part > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.1 (SunOS) > >iD8DBQA+Vf1HpyXqGKunpqMRAh1TAJ48vXc8N2Po090Mg4+bQv/lAH58ggCfXdJy >przfiz56MEEYme82SH609mQ= >=pl6H >-----END PGP SIGNATURE----- > >--=-0ZL8FBpSXa43X82Mh7cZ-- > >
This archive was generated by hypermail 2b30 : Sun Feb 23 2003 - 09:21:52 PST