Full Disclosure mailing list archives
Re: Flog 1.1.2 Remote Admin Password Disclosure
From: Valdis.Kletnieks () vt edu
Date: Mon, 08 Jan 2007 10:51:20 -0500
On Sun, 07 Jan 2007 16:08:23 +0100, endrazine said:
yes that's correct but don't forget that hashes can collide it could be the case that:can ? could ? might ? Do you have any mathematical prouve or are you just guessing ?
It's a pretty easy proof actually. If your password input routine allows more different passwords than there are possible hashes, you *will* have collisions. For instance, if you use a 64-bit hash, and reasonable-length passwords, you can create more than 2**64 of them, and 2 *have* to collide.
xhash("$Up3$tr0n9 # P@$sWoRD!!") == xhash("1234") and you don't even need the original strong one ;)what hashing algorithm is being use ? Is a collision realistic ? How much time would it take to actually break a given hash ?
If you're using anything resembling a sane hash (such as MD5 or similar), what happens is that you basically ignore the hash collisions - because rather than "1234", your colliding password/phrase is probably a 32-byte or so string, which is likely not even enterable at the keyboard (it ends up being A # ctl-b 9 e alt-control-meta-$ etcetc - of the 32, likely only 10 or so of the characters are from the 96-char printable ASCII set, and there's a good chance that at least several of the bytes are ones you can't enter from the keyboard at all....)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Flog 1.1.2 Remote Admin Password Disclosure corrado.liotta (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure wac (Jan 07)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 07)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure endrazine (Jan 08)
- Message not available
- Fwd: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 08)
- Re: Flog 1.1.2 Remote Admin Password Disclosure Valdis . Kletnieks (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure T Biehn (Jan 05)
- Re: Flog 1.1.2 Remote Admin Password Disclosure wac (Jan 15)