Hash collisions vulnerability in web servers

Published: 2011-12-28. Last Updated: 2011-12-28 23:02:14 UTC
by Daniel Wesemann (Version: 2)
8 comment(s)

 
A new vulnerability advisory by security firm n-runs [1] describes how hash tables in PHP5,Java,ASP.NET and others can be attacked with deliberate collisions in the hash function, leading to a denial of service (DoS) on the web server in question. Microsoft have already responded with an advisory [2] of their own, other vendors are likely to follow.

Updated 2300UTC: MSFT published additional information [3] on how to detect and mitigate an attack.

[1] http://www.nruns.com/_downloads/advisory28122011.pdf
[2] http://technet.microsoft.com/en-us/security/advisory/2659883
[3] http://blogs.technet.com/b/srd/archive/2011/12/27/more-information-about-the-december-2011-asp-net-vulnerability.aspx



 

Keywords: DoS vulnerability webattacks webserver
8 comment(s)

Comments

Does anyone know if the out of band patch just announced: http://technet.microsoft.com/en-us/security/bulletin/ms11-dec is for this issue. As it is priv esc it appears to be different but I could be (and hoping) I am wrong.

Raymond

Dec 29th 2011
1 decade ago

@Raymond
According to the Twitter entry http://mobile.twitter.com/msftsecresponse/status/152252561213231104 the out-of-band update will be for the issue described in the article above.

Ottmar Freudenberger

Dec 29th 2011
1 decade ago

Yes, the out of band patch will be for this issue.

See "Advanced Notification for out-of-band release to address Security Advisory 2659883" (http://blogs.technet.com/b/msrc/archive/2011/12/28/advanced-notification-for-out-of-band-release-to-address-security-advisory-2659883.aspx) and "Microsoft releases Security Advisory 2659883, offers workaround for industry-wide issue" (http://blogs.technet.com/b/msrc/archive/2011/12/28/microsoft-releases-security-advisory-2659883-offers-workaround-for-industry-wide-issue.aspx) for more information.

Tobias

Dec 29th 2011
1 decade ago

I'm confused. A security bulletin with Elevation of Privilege impact adressing a security advisory with Denial of Service impact? Could the hash collisions cause other security issues for .NET applications than just DoS in ASP.NET?

Jonas

Dec 29th 2011
1 decade ago

@ Jonas

See: http://www.ocert.org/advisories/ocert-2011-003.html
2011-12-28
.

PC.Tech

Dec 29th 2011
1 decade ago

OOB webcast today at 13:00 PT, register at https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032502798

MS11-100 is now live at http://technet.microsoft.com/en-us/security/bulletin/ms11-100

Microsoft planned ahead with 3 digit bulletin numbers, I hope we never get to 999 in a single year :)

baillard

Dec 29th 2011
1 decade ago

Any idea on how MS is addressing the Hash collision via patch? Isnt the only way to prevent this by limiting the amount of POST data you can send to a website.

Nick

Dec 30th 2011
1 decade ago

Nick, most probably they have changed the internal hash table implementation to add randomization of the hashing function and reduce "collisions", as Perl and Ruby 1.9 previously did.

The patch is required because some web applications might require to manage big amounts of data in POST requests, or at least, big enough to make the attack feasible.

Raul Siles

Dec 30th 2011
1 decade ago

Login here to join the discussion.


Top of page
Diary Archives