Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 6 May 2015 10:39:29 -0400
From: Sliv TaMere <slivtamere@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: PHP and some == wonkiness

The == stuff is just one of the problems of PHP:
http://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

2015-05-05 13:07 GMT-04:00 Grandma Eubanks <tborland1@...il.com>:

>
> http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html
>
> Your examples are seen often, and the md5 comparison example was exploited
> in SMF as my public exploit shows in the above link.
>
> if (empty($_POST['code']) || substr($realCode, 0, 10) !=
> substr(md5($_POST['code']), 0, 10)) [4]
>         {
>                 // Stop brute force attacks like this.
>                 validatePasswordFlood($_POST['u'], $flood_value, false);
> [5]
>
> There's also other interesting oddities with their juggling system. I
> provide several links to how you can see them, but one of my favorites is:
>
> if ($input < "30") {
>         print("$input < 30\t");
>         print((int)$input);
> }
>
> You can see how this is bypassed under the "Math is Crazy" section and then
> think on how this can be extrapolated.
>
> On Tue, May 5, 2015 at 4:01 AM, mancha <mancha1@...o.com> wrote:
>
> > On Tue, May 05, 2015 at 08:24:42AM +0000, mancha wrote:
> > > On Tue, May 05, 2015 at 09:44:00AM +0200, Florian Weimer wrote:
> > > > On 05/05/2015 09:26 AM, mancha wrote:
> > > >
> > > > > Taking sha1 as our reference hash and "==" as our equivalence
> > > > > relation:
> > > > >
> > > > > All [a-f][0-9a-f]{39} are in equivalence class A.
> > > > >
> > > > > All 42[a-f][0-9a-f]{37} are in equivalence class B.
> > > > >
> > > > > Note: those regexes aren't representative of the full equivalence
> > > > > classes because prepending 0s doesn't alter the value (i.e.
> > > > > 0[a-f][0-9a-f]{38} is in equivalence class "A" as well..
> > > >
> > > > I cannot reproduce this.  Or you use “equivalence class” in a
> > > > non-standard way.
> > > >
> > > > -- Florian Weimer / Red Hat Product Security
> > >
> > > I was using "equivalence class" in a standard way but mis-understood
> > > PHP's casting rules when comparing strings so never mind that comment.
> > >
> > > To raise the SNR back up, I agree with your assessment if we account
> > > for prepended 0s. So out of the 16^40 total hashes, I believe
> > > 10^38+10^37+...+10^1 of them will evaluate to float(0). A bit higher
> > > than your estimate (which only considered 10^38 of them). Same order
> > > of magnitude though.
> > >
> > > --mancha
> >
> > That has a small off-by-one because 40 0s will be cast to float(0) when
> > compared to those.
> >
> > Also, we have equivalence classes such as:
> >
> > 2e00000000000000000000000000000000000001
> > 02e0000000000000000000000000000000000001
> > ...
> > 0000000000000000000000000000000000002e01
> > 00000000000000000000000000000000000002e1
> > 0000000000000000000000000000000000000020
> >
> > --mancha
> >
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ