[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Flog 1.1.2 Remote Admin Password Disclosure
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Flog 1.1.2 Remote Admin Password Disclosure
- From: wac <waldoalvarez00@xxxxxxxxx>
- Date: Sun, 7 Jan 2007 02:59:26 -0500
On 1/5/07, Valdis.Kletnieks@xxxxxx <Valdis.Kletnieks@xxxxxx> wrote:
On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> This isn't a password disclosure, it's a leak of password information.
>
> It's a password hash, you super hacker.
And given the hash, and knowledge of how the hash is computed, it becomes
possible to dictionary-attack (and other related techniques), and thus
get the actual passwords, unless there are other things in place to ensure
that all users have passwords sufficiently strong to resist those
techniques.
yes that's correct but don't forget that hashes can collide
it could be the case that:
xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even need
the original strong one ;)
so strong password is not a countermesure to that
I beleive that is a BIG security hole
Regards
Waldo
And given that this:
> http://remote_server/data/users.0.dat
works, the probability that the hashes represent strong passwords is quite
close to nil.
In any *practical* sense, the fact that the attacker can get the hash and
from that extract/compute at least some passwords means that the passwords
are *effectively* disclosed, even if the actual bitstring originally
retrieved
isn't the actual password.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/