Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Hash collisions vulnerability in web servers - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Hash collisions vulnerability in web servers

 
A new vulnerability advisory by security firm n-runs [1] describes how hash tables in PHP5,Java,ASP.NET and others can be attacked with deliberate collisions in the hash function, leading to a denial of service (DoS) on the web server in question. Microsoft have already responded with an advisory [2] of their own, other vendors are likely to follow.

[1] http://www.nruns.com/_downloads/advisory28122011.pdf
[2] http://technet.microsoft.com/en-us/security/advisory/2659883

Daniel

367 Posts
ISC Handler
Does anyone know if the out of band patch just announced: http://technet.microsoft.com/en-us/security/bulletin/ms11-dec is for this issue. As it is priv esc it appears to be different but I could be (and hoping) I am wrong.
Raymond

14 Posts
@Raymond
According to the Twitter entry http://mobile.twitter.com/msftsecresponse/status/152252561213231104 the out-of-band update will be for the issue described in the article above.
Anonymous
Yes, the out of band patch will be for this issue.

See "Advanced Notification for out-of-band release to address Security Advisory 2659883" (http://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx) and "Microsoft releases Security Advisory 2659883, offers workaround for industry-wide issue" (http://blogs.technet.com/b/msrc/archive/2011/12/28/microsoft-releases-security-advisory-2659883-offers-workaround-for-industry-wide-issue.aspx) for more information.
Anonymous
I'm confused. A security bulletin with Elevation of Privilege impact adressing a security advisory with Denial of Service impact? Could the hash collisions cause other security issues for .NET applications than just DoS in ASP.NET?
zeroed

3 Posts
@ Jonas

See: http://www.ocert.org/advisories/ocert-2011-003.html
2011-12-28
.
Jack

160 Posts
OOB webcast today at 13:00 PT, register at https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032502798

MS11-100 is now live at http://technet.microsoft.com/en-us/security/bulletin/ms11-100

Microsoft planned ahead with 3 digit bulletin numbers, I hope we never get to 999 in a single year :)
Jack
12 Posts
Any idea on how MS is addressing the Hash collision via patch? Isnt the only way to prevent this by limiting the amount of POST data you can send to a website.
Anonymous
Nick, most probably they have changed the internal hash table implementation to add randomization of the hashing function and reduce "collisions", as Perl and Ruby 1.9 previously did.

The patch is required because some web applications might require to manage big amounts of data in POST requests, or at least, big enough to make the attack feasible.
Raul Siles

152 Posts

Sign Up for Free or Log In to start participating in the conversation!