Hash collisions vulnerability in web servers

Published: 2011-12-28
Last Updated: 2011-12-28 23:02:14 UTC
by Daniel Wesemann (Version: 2)
8 comment(s)

A new vulnerability advisory by security firm n-runs [1] describes how hash tables in PHP5,Java,ASP.NET and others can be attacked with deliberate collisions in the hash function, leading to a denial of service (DoS) on the web server in question. Microsoft have already responded with an advisory [2] of their own, other vendors are likely to follow.

Updated 2300UTC: MSFT published additional information [3] on how to detect and mitigate an attack.

[1] http://www.nruns.com/_downloads/advisory28122011.pdf
[2] http://technet.microsoft.com/en-us/security/advisory/2659883
[3] http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx


8 comment(s)


Does anyone know if the out of band patch just announced: http://technet.microsoft.com/en-us/security/bulletin/ms11-dec is for this issue. As it is priv esc it appears to be different but I could be (and hoping) I am wrong.
According to the Twitter entry http://mobile.twitter.com/msftsecresponse/status/152252561213231104 the out-of-band update will be for the issue described in the article above.
Yes, the out of band patch will be for this issue.

See "Advanced Notification for out-of-band release to address Security Advisory 2659883" (http://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx) and "Microsoft releases Security Advisory 2659883, offers workaround for industry-wide issue" (http://blogs.technet.com/b/msrc/archive/2011/12/28/microsoft-releases-security-advisory-2659883-offers-workaround-for-industry-wide-issue.aspx) for more information.
I'm confused. A security bulletin with Elevation of Privilege impact adressing a security advisory with Denial of Service impact? Could the hash collisions cause other security issues for .NET applications than just DoS in ASP.NET?
@ Jonas

See: http://www.ocert.org/advisories/ocert-2011-003.html
OOB webcast today at 13:00 PT, register at https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032502798

MS11-100 is now live at http://technet.microsoft.com/en-us/security/bulletin/ms11-100

Microsoft planned ahead with 3 digit bulletin numbers, I hope we never get to 999 in a single year :)
Any idea on how MS is addressing the Hash collision via patch? Isnt the only way to prevent this by limiting the amount of POST data you can send to a website.
Nick, most probably they have changed the internal hash table implementation to add randomization of the hashing function and reduce "collisions", as Perl and Ruby 1.9 previously did.

The patch is required because some web applications might require to manage big amounts of data in POST requests, or at least, big enough to make the attack feasible.

Diary Archives