Re: Flog 1.1.2 Remote Admin Password Disclosure

[wac <waldoalvarez00 () gmail com>]

On 1/5/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
> On Fri, 05 Jan 2007 15:34:49 EST, T Biehn said:
> > This isn't a password disclosure, it's a leak of password information.
> >
> > It's a password hash, you super hacker.
>
> And given the hash, and knowledge of how the hash is computed, it becomes
> possible to dictionary-attack (and other related techniques), and thus
> get the actual passwords, unless there are other things in place to ensure
> that all users have passwords sufficiently strong to resist those
> techniques.


yes that's correct but don't forget that hashes can collide

it could be the case that:

xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even need
the original strong one ;)

so strong password is not a countermesure to that

I beleive that is a BIG security hole

Regards
Waldo

And given that this:
> > http://remote_server/data/users.0.dat
>
> works, the probability that the hashes represent strong passwords is quite
> close to nil.
>
> In any *practical* sense, the fact that the attacker can get the hash and
> from that extract/compute at least some passwords means that the passwords
> are *effectively* disclosed, even if the actual bitstring originally
> retrieved
> isn't the actual password.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/