 Thank you So who are we? This is Ciri as I mentioned. His real name is Julian Welle He's a student at Technische Universität Darmstadt. He's active in the crypto group over there And he's the theorist in this talk So he'll do all the crypto like breaking of stuff that we show you later And I'll talk more about the practical stuff This is Alex or Alex and Well, he does more of the practical stuff and as you can see he's a professional He works at this company Well they do penetration testing and stuff Yeah, he's a really funny guy and if you give him something that is theoretically broken he starts Cranking out practical exploits for it Yeah So, how did we get here? So what you can see on this slide here is our local hacker space the troll Höhle Which is part of the cows Darmstadt air for and that's where we usually meet and one day We were sitting in the kitchen and we were discussing in hash tables for some reason I don't really remember how we got there, but yeah happens. You sit in the kitchen talk about hash tables And Then I remembered that there was something wrong with that and that the pearl I was I was a pearl programmer for like three years and remembered that there was something in the pearl segment page So we went and looked that up. It's in the section called areas make complexity attacks And that was quite interesting and that's how we got started and that's why we looked at all the other languages and saw Did they actually fix something there as well or well, maybe they just missed that so Typically People do live demos at the end or in the middle of the talk. We'll start with the live demo And we'll come back to the live demo later as well Okay, what you see here is an H top running on my computer over there You see our network load on my computer for local interface and well here We I have an Tomcat running and if I start my Exploit code now And what you will see is that there's a slight increase in network traffic for a few a few moments And then you will see lots of CPU load for one thread here Well, that's everything we're going to show you for now I guarantee that we will come back to this later and not much will have changed Yeah, um, yeah back to our talk so so much for live demonstration presenter, sorry, okay hash tables Yeah, it's like that Has anybody in the audience seen this code or code that looks very very similar before Okay, so for the recording I guess that be about half maybe a bit less than Yeah, this is Well at Ruby and Python code and well what it does is it creates an associative array called H and Inserts key value pair foo as key and bar as value And then it does a look up and gets the value bar when it doesn't look up for foo Pretty easy Who of you knows how this works? Okay, I'd say probably about 10% or so of the audience knows how this works then for the rest we will explain Okay, welcome to algorithms and data structures So and hash table basically at least in the real world Normally, it's normally it's an array of lists and if you want to insert a key value pair You take your hash function. We will talk about that later Has your key so you get an index in your list and your array and then you go there and Well you insert your key value pair there What sometimes happens is that you hash your key and you get an index in your array that is already has already been taken Like here you hash the cmd and you get the same well same hash value for that's for login And in that case you search this list and if you don't find it you append it at the end. It's pretty easy and well Those data those hash tables are pretty neat data structures Everybody likes them. Everybody use them. They have the school Property that for the average case you have complex complexity for everything Nothing nothing takes more than one hash evaluation and one look up in your array And if you do if you insert or look up or delete and elements, you only get linear penalty for that. That's pretty good Yeah, they're really really really fast everybody uses them so In well, this was best in average case and Well, if that's there's this worst case scenario in which all well use has to same all keys has to same value Maybe an attacker has chosen them like that or something like that in that case you get a linear complexity for inserting or quadratic for an element and Well, what happens then as you go through your bucket you search those lists And you always have to search to the end because you will never never find the key because it's always a different key But just hash to the same value and yeah, that's pretty bad or tense. We found out this tends to be pretty bad Um Yeah, so one thing about complexity is that people always talk. Well, this is an XP or NP or well This is an n-square What what what does n-square mean if you have two hundred thousand colliding strings? This you get like two MBs was sort of what we just fired on our Tomcat here And if you do have to do quadratic operations for that that means you have to do 40 billion string comparisons That takes some time even if you do it in one cycle on a one gigahertz machine It still needs like 40 seconds Okay, it's the second part of our life demonstration We'll just return over here and as you can see as promised nothing has changed Except for some CPU time so we're format into the talk now I guess Yeah, of course, sorry As already mentioned To do so you need hash functions I guess probably some people have already heard what a hash function is so we start with a bit of a definition there And we will make it by show of hands. So who thinks collision resistance is part of the definition of a hash function Please raise your hand now Few people do think so maybe 20 or so But yeah, that's not the case actually collision resistance is not part of the definition of a hash function Who thinks one wayness is part of the definition No one apparently does so Who thinks for that fix output length, okay, so fix output length is the only thing That is part of the definition of a hash function All the other stuff you might have heard that before that's when we talk about a cryptographic hash function But those are not the ones that are used for string hashing So who in the room knows this guy show of hand, please Well, a few people maybe like 10 15 20 Well, if you don't know him that's DJ B Dan Bernstein. That's actually a photo I took last year at the last year's Congress of him when he was here under the talk If by now you don't know the name as well look him up. He does pretty cool stuff. He's a researcher Professor, but he also does cool code as well and the reason he's on the slide is because he also does hash functions For example this one This is dgb x 33 a that's one of the hash functions djb did Quite a while ago, and it's a hash function. Some people actually do use So what's the the name where does the name come from the x is four times so that's a times 33 And the a stands for at so what we have here is The only interesting thing that we we do have here is the start value, which is five three eight one For I don't know which what reason and what else we do we have here is the plus asset So we add this here is the character. So we iterate over our characters And we add the character always this is going to be important because there's another version later Which has a bit of a difference there And that's just a neat way to say this is hash times 33 So it's actually pretty simple function, but it works quite well for string hashing and that's that's why people use it Our or people use similar stuff for example, Java. That's the Java string hash function Oh, no, no, no, no, no, that's not the Java string has fun. This is the Java string hash function So the red part is the difference. So basically the only thing that changed here is that here is a zero and it's not times 33 it's times 31, but basically same structure there So let's say we want to find multiple collisions for this hash function You already know why we want to do that. What do we do? Well, these kind of functions have a nice property And the property is that they do have what we call equivalent substrings So you can write the hash function like this just as a sum over a product here And we made a small example there and you can see for example that the hash of e y or so capital eagle or case y and the hash of Fz for both capital F and capital Z are the same I mean you can find that out either algebraically Because you can see it from the structure here that this must be the case because this is just 31 less Or I mean if you're lazy you can also just iterate over all two character strings and see which ones have a collision So I mean that's cheap you can do that And once you figure that out you see that in the end if you append a character, so you say you have this here So you why a? What happens in the structure is that basically you have here the hash function of e y so the 2260 we got here And you just well, this is just the last character. That's just the aid of 97 So you can notice that you can replace this here by the hash of fz so what you have here is that the hash of e y a is the same as the hash of f z a and Basically that that works for arbitrary strings so you can just append stuff there and well you get the same hash there And you can also prepend of course so you can can do that at the beginning And that leads to something like this What you can do then is well you can then see that the hash of e z e z is the hash of e z f y and The hash of f y e z and f with y f y Well, and you might notice that this is something like binary counting So you just count from 0 to 4 here in a binary way, and you just have the corresponding strings that are collisions in the two character thing so Well, you can also do that in ternary if you have like three collisions for for two strings so these collide as well Then of course you can also do ternary counting and that already gives you like nine collisions there So basically, I mean that was a fixed size. So we restricted also of to like two characters here or two digits I'd say But of course you can do that for arbitrary number of digits. So for example if you want to generate three to the end collisions This is just how you can do that. I mean, that's just some some ruby code But basically what you do is you generate all strings that look like this so all 0 0 0 0 to 2 2 2 2 2 2 of length n and then you just replace the characters 0 1 and 2 by the corresponding collisions, so With that you can easily generate three to the end collisions, and that's one way of breaking those kinds of hash functions Okay, I've heard about this neat trick we call equivalent substrings It works for a certain class of hash functions that have this proper build a property And but it does not work for any hash function And well we said before that hash functions have a fixed output length and what does this mean and normal normally? You have this 32-bit integer as output length and internal state and everything else Do you remember this guy We're just checking here you do You always you also did other hash functions that can use be useful string hashing. This is djb x 33 x x it It's basically the same but except except for one thing instead of adding the next byte of the key The next byte of the keys x or into the state and that changes a lot. You cannot do equivalent substrings anymore and well this I Don't know it's not no fun anymore. It's not we cannot create fast multicollisions. We can still do brute force 32-bit brute force takes you A few minutes, and then you have one hit for some value and then you just do that again and again and again And you get enough multi collisions To do your attack again, which we will talk about later how it works Okay We will try some different way to break this So if you do brute force on one target value or one state value one intermediates They will you need about in average you need two to thirty one attempts to get there if you was to you need Twice as fast because it's twice as likely that you hit something if you do this for again You're twice as likely to hit something and if you do it with two to the end well use you end up with Two to thirty one minus and attempts till you have one hit So we will turn this into a tag on this into a generic attack on the hash functions like that first thing we do We assume that we have some way to compute backwards from one target value to an intermediate state and Then we start filling a lookup table with we could use a hash table here We start filling this with intermediate intermediate state while use and suffixes of strings we could hash So we have a table of if you I know if I get to this value this is to suffix I used to get to my target value for example 0 and Then I find pre-majors to see to my target value I just take a random strings hashes them to an intermediate value and If I have a hit in my head lookup table, then I append my random string and my prefix from the lookup table and I get my Yeah, I get my string that hashes to my target value and that is really really really fast At least for the case of 32-bit integers it could look like this in the middle is supposed to be our lookup table and We have our target value here. It's it's extremely funny because we always had two values there that are the same But yeah, I hope you get the idea So this is the hash function again that we need to compute backwards from one end to an intermediate value and Well, we have to invert two operations here We have a multiplication with 30 33 and we have an X or and we need Just a little tiny bit of math to get get there. It's not much. We promise Okay, the first thing is how to invert X or it's pretty easy you do it again Yeah, every element is an inverse to itself if you do this with multiplication, it's not that easy What actually is written on the slides is not true but If you do it with overflow arithmetic and 32-bit integers, it comes through that's really you You can for every odd number you can get another odd number that was you multiply them you get to one At least with 32 bit integers Yeah, and you can use the extender cleaning algorithm to compute those numbers very efficiently if you don't want to you can use brute force You just have to do it once So we end up with this Function that computes backwards. So does it work? Yes We take our end and then we come do all the steps backwards. We'll take the last byte first and stuff. It's pretty easy Yeah Your turn. Yes. So that was more of the theoretical part here Now we're going to talk about how we can actually use that to attack web application platforms so This is a nice slide showing a bit of the Application world the landscape at the moment It's actually from the W3 tags website Which does some kind of heuristics on the Alexa top 1 million sites and tries to figure out what kind of technologies they're using and Well, there's yeah all kinds of technologies and PHP ASP.net and say Java are the most prominent ones And they're colored in red here for some reason which we'll see later But just to check who in this room runs or is Involved in running a website based on one of the technologies which is colored in red here. Please raise your hand I'd say maybe a bit less than half as well So just to check who is Involved in running one of those websites with the red technology will say more more than 100,000 hits per day or so Well, a few people maybe like 10 or so 15 So, yeah, you might want to talk to your sort about that or well if you are the sort then you might want to listen carefully now So start from the top Well, no actually just looking at what the general case is So you have some kind of forum typically on some kind of website if it's Any kind of dynamic website you have a form where people can input data And sometime that's a post request and the question is how does the post data end up in the web applications? Or as a web application programmer, what are you going to do and how are you going to access that post data? And I put some different ways to do that for the different platforms in there first one is PHP second is Java or surflets to be exact and the last one is actually ASP net But one thing to notice is that the structure that you have there for the post data So like the dollar underscore post in PHP or the request thing in Java or the request form thing in ASP net That's always a hash table So and well as an application programmer you don't need to do anything for that to be a hash table You get it from the platform So even if you don't use it sometimes it is populated by the platform itself by the language or the application server So so that's nice from an application programmer point of view because you don't have to do anything You don't have to pass the request yourself. It's just already there in a nice hash table for you But well it's a hash table. So as an attacker you can also put stuff in there lots of stuff So starting from the top PHP PHP well comes in two different versions. I guess hopefully most of the people use PHP 5 by now Well, if I mean, I'm not hoping people use PHP at all, but well if they do then hopefully they use PHP 5 PHP 5 actually uses ddgb x3a function, which you've seen before so That that is in use there and it's used on a 32-bit integers So that can be broken using the equivalent substring attack. We already presented If you're using PHP 4 then well, that's dgb x33x And it might be on 32 or 64 bit of output depending on the platform you're it So you can break that using the medium the middle attack that we presented Well on 64 bit, that's not really efficient, but on 32 bit that works very well Well, then there are some parameters that are interesting for this attack The first one is the post max size So that's the size the maximum size an attacker can send of a post request So if you have a form an attacker can put in eight megabytes of form data in there And that's typically unchanged unless probably you run some kind of upload stuff then you might have even increased that Next thing we have here is the max input time Which is the time as a configuration parameter that limits the time for request parsing Which is actually a good thing that there is some kind of thing like this You'll see later platforms where there isn't But it's set to minus one normally which well Tends to mean unlimited from documentation, but as we found out that's not really true If you set it to minus one it's actually limited by the max execution time parameter so that is mostly set to 30 seconds or Sometimes the distribution change that so like if you are around a devian based Distribution or I think it was a free beastie where we tested it the max input time is actually changed from the PHP default And set to 60 seconds so that limits the attacker to 60 seconds of CPU time usage for each request Theoretically if you really have a max input time of minus one and then a max execution time of minus one as well If you send a PHP application eight megabytes of post data, so basically any PHP application because Even though you don't use the post stuff even though you even don't want to accept post every PHP page Accepts post so if you have a hello world PHP page, that's gonna be vulnerable And if you send it eight megabytes of post data, it's gonna take like six hours and something of CPU time That's the theoretical case because well typically people don't put in their max input time and their max execution time to unlimited That would be pretty stupid Realistically well you can then just send like 500k data of post and it gives you a minute of CPU time on a modern CPU Or you send it 300k and then you get 30 seconds depending on how your your configuration is you can actually figure that out How the configuration is because the server then throws I think a 500 internal server error if you go over this limit So what does that mean in terms of efficiency? So we are we are for the different platforms We always tell you what the efficiency thing is and the effectiveness things so we've got this nice stamp on the left side Which well is an advertisement for ISDN Some people might still remember the times where we had ISDN ISDN was like 64 cables if you had two lines that was 128 cables So if you have one ISDN line or if you have actually like a bundled ISDN line Well, then you can keep one i7 core like the laptop of standing there Pretty more in laptop. You can keep that busy all the time if you have one ISDN line So on the other hand that means if you have like a gigabit which well there are sockets here somewhere Maybe I'm on stage Well, then of course you can keep a lot of more CPUs busy Well, that would be 10,000 so that's the little picture. They're actually 10,000 dots They don't need to be on like one machine because I think you can't really find that machine that has 10,000 cores But of course you can kind of distribute that over more machines if you like Yeah, so that that's yeah, that's for the well effectiveness then So what's the state on PHP Actually, I mean we're Responsible guys. We've disclosed that stuff. It's not like it's a total zero day here We disclosed that to O cert, which is the open sort cert And they notified PHP on November 1st Then we didn't get an answer from anybody which is kind of bad And we asked for an update like three weeks after that And that's what the guy said while we are looking into it and while changing the hash function Is the trivial change and it will take us some time Okay, I mean, yeah more communication would have been nice But that's the way it is So actually then on December 15th. So like maybe one and a half weeks ago two by now, I think Disappeared in the subversion repository of PHP So they actually put in the lock while they added a max input vars directive to prevent attack space and hash collisions Which is kind of a workaround so they didn't change the hash functions But they are limiting the number of parameters which well works for some stuff. It doesn't work for other stuff We'll show you later a bit But we weren't very happy that they well for one They didn't tell us or also that they were doing this which is not very nice And then while they were putting that into their public SVN So I mean if you read that on December 15th You might have figured out what the what the thing here is and that there is a real problem So well, yeah, not really that happy. That's in there SVN is set and that's in their latest 5 4 oh, I think it's RC4 release So it's a release candidate for the upcoming 5 4 oh And I think they're going to change that for 5 3 as well But we don't have any release date for them because while they're not really good at communicating with us So that's that's the state there So what else is there? Sorry mentioned the next big contender on this market for some reason is ASP.net Which is like a Microsoft product That took us some more time to actually figure out what is going on there So what you get is the application programmer is the request form thing, which is a name value collection object And for some reason that doesn't use the normal hash table hash function that is used in net which is Kind of interesting breakable as well, but not using the techniques. We have shown before But it uses the case insensitive hash code provider dot get hash code method. I really like those long names And funny enough. Well, this is the stuff on the right, which we just put there It's in the screenshot from Ida So we put that there to convince you that we are all the really good reverses Well, well, actually we are not but yeah still I can recognize that this is DGV X 33 X So what you can see here is well, this is the start value the 5 3 8 1 that we saw before Well, that's the multiplication by 33 And below that that's actually the X or of the the current character So well, we could figure that out and that works on the upper case thing so because that for some reason as Mentioned by the name is case insensitive So first you do the uppercase variant of the string and then you put it into DGV X 33 X If you have like a development server Which you can get for free from Microsoft and you can try that out Then you can send it four megabytes of post data, which seems to be the limit there And then you get well just short of 11 hours of CPU time So we did that actually again in the toll hole and we were sitting there and the CPU spike We saw the 100% CPU knows nice and it was like how long is this gonna last and then like an hour later It was still running. You were like, hmm that is nice so But luckily there's also a CPU time limits Luckily, there's also a CPU time limit So I as if you run this on I as which I think is the typical configuration Because it's a Windows technology. Anyways, then I as limits you to 90 seconds of CPU time So what does that mean in terms of efficiency? Well, there are those things on the left. That was even before I see and that's what we called modems back in the days Maybe some people still remember maybe some don't I guess in the audience Yeah, so they were like the study 3.6 Cabot modems or so. So if you want have one of them, well, you can keep one of those core to course busy And on the other ends. Well, if you're at the Congress and if you give it Then basically you can keep like 30,000 K core to course busy So I was trying to make a different picture on the right side with the little dots But then yeah, that gets really crowded. So just imagine like the one dot here is the CPU course That's that's gonna change later as well for the different platforms So well this closure state Microsoft sort of drew the short straw there because well, that was at the very end of our preparation for this talk When we actually discovered that because we had to figure out what the hash function was We were just on the wrong track trying it out with the hash function Which is used in dotnet and that didn't work and then we figured out that that's actually different So we only disclosed that on November 29th and we involved third with that and they did a job Good job to do that and disclose it to them That's the MSRC case number if you want to talk to Microsoft about it and they actually talked to us quite a bit So that that was way better than like PHP for example So we actually had like a phone conference last Thursday and talked about them What we are going to say in the talk as well and had another conference yesterday So they're working on that and they're taking that very seriously So the first thing they are going to be working with is like a workaround patch pretty similar to the stuff PHP does So living in the morph parameters And then they will be looking into randomizing the hash function Which is the real way to fix that but today is going to talk about that later as well And there's going to be an advisory very soon or actually my boss just told me that it should be up already So if you can try that There should be an advisory from MSRC about that where it will they tell you about what you can do in terms of avoiding Being hit very hard, but yeah, there's not that much that you can do you can of course reduce the CPU time for example But basically that's that's the most important thing you can do there So what else yeah Java or we've already seen the string.hashcode function That is very similar to the djbax33a So it can be broken to using the equivalent substring. That was actually the example I showed you earlier And alternatively of course you can also do a medium to middle attack there So you can get some more collisions because of course if you do the equivalent substring Stuff that already has quite a lot of structure of the string So if you do it more randomly you get more strings for the same size And one special thing that is quite interesting for Java is that they actually catch the result of the hash So like if you have a string object There's a hash attribute and if you hash it Well that get changed from zero to the hash value And well, but that only happens if the hash is unequaled from zero So if the hash ends up being zero, so if we as an attacker choose to target zero then you have to re-ash all the time That's actually a thing that while other people are also do as well So they they catch that stuff, but then they change the hash function never to be zero Well, Java doesn't do that for some reason tough luck So in Java, it's a bit different from like the application developer world So you have all kinds of different platforms there It's not like you have the one language and you use that and that is going to do the request parsing for you But it's actually done in the Java web application servers So there are all kinds of different web application servers some open source number not We looked at some of the open source servers. So well Tomcat, Jornamo, Jetty, Glassfish And all of them either use the hash table type in Java or the hash map type to sort that post data And they typically have a limit of 2 MB Jetty being the exception here, which has like 200 K, which is way better So if you have like a Tomcat running and you throw two megabytes of post data at it Then well, that's 44 minutes of your CPU time gone And that's gonna mean if you have a Tomcat There's another of those modem things. So that's an internal one And so you had like a 9.6 K modem as well before the time where we had 33.6 K modems and if you have like six k bits, then you can keep one i7 core busy or of course well You might as well keep a Lot more CPU cores busy if you have a gig of it Yeah, so much for Java The disclosure states while we disclosed that via also does well same November 1st Tomcat actually has a workaround In their subversion repository. So they actually published releases for that as well. So that's in the latest releases for 7023 I think and 6035 and 5535 But I'm sure if the last one is released already But they they actually worked on that and they have the same workaround like limiting the number of parameters As for glassfish or to took our advice and said, okay, they're gonna fix that in a future CPU So a critical patch update and that's just like the ticket number That's good from the orco side. What's not so good is that they said well as for Java itself It doesn't seem like there's anything that would require a change in Java hashma implementation We politely disagree Yeah, what else is there Python Python actually has a hash function that is very similar to djpx33x But it works on register size. So it's different if you have a 32-bit Python implementation or 64 bit implementation And well again because it's djpx33x basically it can be broken using a mean meet in the middle attack But you only get reasonable sized text strings for 32-bit platforms And of course well in Python there are different platforms for doing web stuff as well. Plone is I guess the most Popular of those and Plone has a maximum post size of one megabyte So you get like seven minutes of CPU usage for like one megabyte request So while you need like 20 k bits to keep one core to core busy So we tested on different machines. That's why they're always different cores But yeah, it's only a matter of factor as well So yeah, again, you couldn't keep like 50,000 of course busy if you have gigabit Well, it's if it's a 32-bit machine. So hopefully lots of people are on 64 there It's going to be a lot less efficient using this attack So Same disclosure state. It's a bit well unless It's a bit sorry that this closer state for most of the stuff Yeah, so we disclosed it via authored and then three weeks later We're like, well, did you get our message and they were like, well, this message got held in our moderation queue sorry for that and Well, we have Thanksgiving at the moment. So it might take a few days until we get back to you And we're like, yeah, sure. I mean, that's reasonable. I mean Thanksgiving is a big holiday in the US So I guess it's fine and luckily they never got back to either us or authored. So yeah That's that for Python. That's that's well. Yeah, and we disclosed that to the Plone guys as well And they got back to us as furl. I think and well, yeah, but no fixes there. Unluckily Ruby In Ruby actually if you're using C Ruby 1.9 or you're fine That's a good thing because they already fixed that in back in 2008 back when Pearl actually fixed that was back in 2003 I think and for the same reason they realized and well, we should maybe fix that But for some reason they only fixed it in C Ruby 1.9 If you're using C Ruby 1.8, which apparently quite a lot of people still do I was very surprised to hear like the figures from the Ruby people It's about none the major platforms there. It's about half or so Then there's a hash function, which is very similar to dgbx33a Well, you could actually break that for the equivalent substring attack But they have a different multiplication constant which makes the small equivalent substrings not so small So you don't have I think you don't have any like two Character colliding strings, so you have to increase those and that makes it much less efficient But of course you can break that using the medium middle attack again, and then you get more efficient stuff So in J Ruby and Rubinius J Ruby actually uses the C Ruby 1.8 functions as well both for the 1.8 implementation in the 1.9 implementation And Rubinius uses something completely different, which is just another Ruby implementation And typically they have for the different platforms on Ruby like if you're using Ruby on rail or let's say Passenger or something like this then the maximum post size is two megabytes So that gives you about six hours of CPU time So who of you guys still remembers the thing on the left show of ends, please Ah Quite a few quite a few so that's what was a acoustic cobbler that thing on the left actually gave us like 1200 bolts back in the day. Well, no not really. I never had one But I have started with a modem but similar speed there as well So if you have like 720 bits per second, you can keep one i7 core busy So if you have one of those things and you can hook it up to your computer somehow It's probably gonna be hard, but then you can keep that one i7 core busy Well, of course, if you have gigabit, then that's gonna be a lot and yeah, you can keep like a million CPU cores busy Yeah, which is gonna be fun. So if I wanted to actually change that picture Well, the resolution is the limiting factor there as well So there would be no space between the dots. So that yeah again, then that's one of the CPUs core CPU cores per dot Ruby we're much happier with their disclosure state there So we disclosed that again on November 1st and the Ruby security team was very very helpful So that that was really a good thing that we had going there. So They they were a helpful and we discussed what they're going to change and actually randomized their hash function Which is the only real way to change that So they are in new versions or they're supposed to be new versions J. Ruby released something I think last night see Ruby should be following any minute now So there they have the patch ready and well yesterday was the end of the embargo date So they should be releasing very soon and I said there they randomized the hash function Which is the way to change that and there's also a new version of the rec middleware Which is the thing that passes the post request for most of the platforms and there they Limit the number of parameters as well as well, which is nice So it's like a defense in depth kind of thing. If you update your record update your Ruby, you're gonna be fine So what else in the like less thought less than all dot one percent Column on the the first slide in this section. There was like V8 or JavaScript in general So V8 is the JavaScript implementation that is used by Node.js. It's done by Google It has a wall a bit of a different hash function there Looks quite different than most of the other stuff But again, it's vulnerable to immediate in the middle attack And then again on Node.js, there's like the query string module which you can use to pass a post request And then there are lots of platforms on top of Node.js. So we didn't look in that direction because well Node.js doesn't actually limit the size so there are no efficiency slides there as well As for the disclosure, we already disclosed that on October 18th quite a while back But I also again got a Automated reply back from the Google security team and then well nothing for a while So I probably contacted one of the Google security team guys I know and he forwarded the ticket to the Chrome and V8 developers But apparently they somewhat have a client side view on the V8 world. So of course, it's not boring if you have a client side DOS on JavaScript in your browser. Well, yeah, that's boring But of course people use that for other stuff as well not that many but apparently like it's a hot thing people talk about Node.js a lot So that's why we also included it here So So much for the different platforms. Well, if you're a web application security guy, you might have noticed This is actually just a post request. So there's nothing fancy that you need to do You don't need to create fancy TCP packets with weird options or so It's just a simple post request and that can actually be generated on the fly If you just have HTML and JavaScript, so you could run this attack on a website So why is that bad? Well, if you have the next big cross-site scripting attack on like a big social network or so then well You get lots of persistent in your distributed denial of service attack And that attack, of course, is going to be very very very effective So that's going to be bad as well Of course if you just click on a link then you might involuntarily send those requests to someone you don't know So, yeah, that's that's the thing here Yeah, so that was the web application world I mean which was fun because everybody uses web applications everybody uses the web But hash tables are everywhere else as well. So actually like if you parse code people tend to put stuff into a hash table So if you like the Java compiler Well, then you parse code and you put stuff you read from the source into a hash table And then it might take you to a while to compile that code So say if you have like a continuous integration system And you just quit your job and at the last day you will commit this huge Java source file into the CVS Or SVN or git or whatever and it's going to be running overnight Then well that might take some time to compile that that's actually pretty nice because in the web application world There are always limits like you can only have like two megabytes, but well if it's a source file I mean might have been 20 megabytes. What's gonna happen then and Then while there are also hash tables in your shell at least on some shells if you like use bash for example There's the syntax to do hashes and of course well as you might have guessed that hash function is broken as well So if you actually use that for something we haven't really found anything any serious kind of use for that then Well, you have a problem as well Well the live demo I think we're gonna skip that for now and hope you believe us from the slides that this is still running Maybe we can get back after the Q&A and see if it's still running or so Well We are also Don't just want to tell you how to break things This is a real problem and well how to fix this Turns out no attacker can compute collisions for a function. He doesn't know at least I've heard so and Also, it's pretty hard to keep your hash from secret. I mean if your closed source product like ASP.net People figure out so yeah You should use you should pick a hash function at random every time you start your interpreter your runtime or whatever or Even if you every time you start a hash table you can pick your hash function at random and use that and well pearl and 0b1.9 already did that in the past So it's not impossible to do this and Yeah, you really should do this This is the pearl patch that actually enabled the randomization part in pearl they just they had everything ready before they just Used a different hash seed after that point Yeah, and what can you do if you cannot change the hash function and we already said Um, you can limit the size of the post request your configuration file You can almost always do that you can limit the numbers of post parameters if the targets and web application server and If it's possible to limit that and you can impose CPU limits No, oh also almost always do that and Yeah, you can fix this problem like that Um Well, we only picked on web servers and web applications and there's different stuff out there Like the Linux kernel If you look in Linux kernel for the word hash table you get 282 hits and well we haven't looked into it whether it really means but maybe there's something funny there Well back to web servers There's not just these post requests where you use this and sign to separate arguments You can also there's also Ajax and that they have some serialization format like Jason for client side arguments So if you put your collisions in there some fixes simply will stop working And you might get an attack again You can always think as an attacker like what will we put into an edge table if I can control this? I have an attack Other other stuff that you can look at Erlang we looked at it. There is there is a constant hash function, but That's it. Objective C. There isn't a constant hash function They change it Rather frequently but always tour another constant hash function There's Lua we just looked it up. You think yesterday or day before yesterday They also used a constant hash function and maybe you want to break a world of Warcraft or something like that There's GNU elf binaries if you want to break your loader or denial of service your operating system, I don't know and There's Facebook and Facebook also uses a constant hash function It's not as easy to find multi collisions there as it is other where other words in other places But it's possible I guess and if there is some somebody of the Facebook security team We would really really like to talk to them We haven't reached them yet Take home messages, what should you take home from this talk? If you are language developer you really really really should fix this ASAP It's not that hard. Maybe some of your users will complain that test cases break and stuff But really randomize your hash function. It's the only real way to fix this If you're an application developer You have certain you use your language and you really hope your language developer fixes, but they don't Well Think about what stuff ends up in a hash table that an attacker can actually choose as you have seen for example post parameters get Application developers tend to put them into a hash table and well use something that is not in hash table There are ways like in Java tree map to to do an associative array that Doesn't have this problem If your penetration tester you can also think about what input is controlled by an attacker and possibly answer an hash table and It's really easy to Identify what hash function is used if you hash the empty string and you get the initialization vector of one of the jb hash functions, then you are almost sure that you have a djb hash function then you hash some short strings and then you know and well at least if you have the interesting you almost You'll almost ever get the initialization vector of this thing and it's really helps if you're anonymous We've heard We've heard that anonymous is capable of getting lots of participants for the Nilo's distributed in our service attacks without XSS so Maybe they want to do something we want we don't want to encourage them So Yeah, our thank you slide Andrea Barisiani from OSIRT. He really wrote tons of emails with us really great guy He also was rather fast on picking up on that and understanding this really is an issue and he worked really great Sir after we got them involved also did a great job of informing the not so open source my nose Well pearl actually gave us more or less the idea for this and they're already thinking 2003 so Yeah, ray for them. Good job Also, thank you to the people that actually found this in 2003 and made pearl change their hash function and To the Ruby security team because a there were the only people that really took us seriously. They worked with us. They Send us patches and said well, it's okay And we gave them some feedback and well lots of back and forth and we ended up with a good solution for this problem And they are the only ones actually having a fix out yet that will work in future Yeah, thank you for your attention So, yeah, thank you very much for this interesting talk as usual. We have now a q&a session And there are two mics in each ale and the people with questions, please line up behind these Mics and then you can ask questions And maybe I asked question myself to start a have you seen any reward applications of this? Do you know any? Any attack this rear that really has been conducted with this technology? Do you know of any attack that has used this this bug or this? this attack method Not except for what we tried, but I guess the people in 2003 They also tried stuff out so But I don't know of any particular in I don't know of anything that got publicity that used that So I see there's someone with a question, please. Hello. Yeah, more a comment like a question I you said this is known since 2003 and only two Two programming languages fixed it so maybe there's something wrong in how we handle security issues if there's something known since 2003 and People seem not to notice that it's also an issue in other programming languages Yeah, maybe there is then True on the one hand There was like this academic paper, so it's a use make security paper from the guys in 2003 And while they were looking at at Pearl directly so Pearl directly was Influenced to change that But there seems to be Not that much interest in looking at that stuff from the other languages So maybe it makes sense to look at the security patches from the other languages as well if your language developer And see if that would actually influence your language and whether you want to change something on in your language So we were actually surprised as well that I mean this was known and this was very well documented as well in the parliament page So people could have known but apparently that either they didn't know or they they didn't care Okay, there's another question on this side For ASP net since it's case in sensitive Do you need them meet in the middle or can you just take a long string and change the case? No, that was the first thing we actually tried as well So yeah, good idea there But in the end they end up like the same entry in in the in the hash table as well So no, you can't just change like the the case of the string That would have been nice, but that's not the case. You actually need the meat in the middle attack there Okay, then how many and not to question from IRC Right. Yeah, the internet's wonder whether there's an Inofficial patch for PHP which they could apply to their web service None that we prepared I mean there is the patch in the SVN Which well is not a real solution but a workaround because it only limits the number of parameters again If you're then say a pausing Jason or whatever That's not gonna be limited because that's not like the same kind of structure there But you could work on on the the 540 RC for patch for at least Turning off like that the trivially exploit. Yeah Right, and the other thing they wondered is where they can get your t-shirt At last year, well at this year's camp, I Don't know if they're any left Okay, there's another question up here Yeah, I wondered how much does the limit of PHP a default limit of 1,000 parameters actually help It's a limit close enough to Yeah, not does the application Which limit are you talking about the CPU limit or and now the maximum parameter limit in PHP which will be introduced in 5 4 or so yeah That works very well, so they limited to I think a thousand parameters The Tomcat people also had a similar patch limited to ten thousand which is still fine But the thousand is very very conservative So that works but I said only against the case where that is actually in your post data if You generate a hash table from some kind of other data like Jason or whatever Then you're gonna have the same problem because that is they're not limited So are there any other questions from the public in here? Okay No, but we have some time left. Maybe you can show us demonstration again if if it's still running So I would like to thank you very very much for your talk here and for the vulnerability that you presented And let's give them again a warm round of applause