Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 04 Aug 2014 15:32:13 -0700
From: Ben Reser <ben@...er.org>
To: Tomas Hoger <thoger@...hat.com>
CC: Marcus Meissner <meissner@...e.de>, 
 OSS Security List <oss-security@...ts.openwall.com>
Subject: Re: Re: Possible CVE request: subversion MD5 collision
 authentication leak

On 8/4/14 12:38 PM, Tomas Hoger wrote:
> I believe the attack here is supposed to create a collision against MD5
> sums used as names of files under ~/.subversion/auth/svn.simple/.
> However, as attacker does not control realm strings for any of the
> trusted repositories, that would require preimage attack.  The lack of
> (publicly) known efficient preimage attacks against MD5 should imply
> such attack is still only theoretical.

I think your understanding of the current state of MD5 collision attacks is out
of date.  Chosen prefix attacks are possible.  See:
http://www.win.tue.nl/hashclash/ChosenPrefixCollisions/

The MD5 hash is created off the data in the following format:
<$URL> $REALM

An attacker trying to take advantage of this only needs the $URL portion to
match their server.  The $REALM can then be whatever data is required to make
the MD5 hash match the system they are trying to attack.

I know of nobody that has taken the time to generate a MD5 collision to take
advantage of this.  But I'm pretty sure that it could be done.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ