Spot the Bug! : Spot the Bug

Thursday, January 05, 2006 7:26 PM rsamona

Spot the Bug - Jan 5, 2006

Wow, we had great feedback on the last bug. Someone emailed me and said that the biggest bug was the blue font on the black background. :)

Here is another fun bug -
Courtesy of Neelay Shah, Consultant, Foundstone

class CUserManager
{
public:
void CreateLogin(String * strUserName, String * strPassword);
void AddLoginToDB(String * strUserName, Byte bytePasswordHash[]);
};

int _tmain()
{
CUserManager objUsrMgr;

String * struser = S"newuser";
String * struserpass = S"password";

objUsrMgr.CreateLogin(struser, struserpass);

return 0;
}

void CUserManager::CreateLogin(String * strUserName, String * strPassword)
{
System::Text::ASCIIEncoding *pAscii = new System::Text::ASCIIEncoding();

Byte bytePassword[] = pAscii->GetBytes(strPassword);

SHA1CryptoServiceProvider *pSha1 = new SHA1CryptoServiceProvider();
Byte byteHash[] = pSha1->ComputeHash(bytePassword);

AddLoginToDB(strUserName, byteHash);

return;
}

void CUserManager::AddLoginToDB(String * strUserName, Byte bytePasswordHash [])
{
//Add the user name and the password hash to the database
return;
}

Solution:

void CUserManager::CreateLogin(String * strUserName, String * strPassword)
{
System::Text::ASCIIEncoding *pAscii = new System::Text::ASCIIEncoding();

String * strPrependedSalt = CUserManager::GenerateRandomSalt();
String * strAppendedSalt = CUserManager::GenerateRandomSalt();

//Prepend and apppend a random salt to the clear-text password so that making the dictionary attacks difficult.
String * strPasswordWithSalt = String::Concat(strPrependedSalt, strPassword, strAppendedSalt);

Byte bytePassword[] = pAscii->GetBytes(strPasswordWithSalt);
SHA1CryptoServiceProvider *pSha1 = new SHA1CryptoServiceProvider();
Byte byteHash[] = pSha1->ComputeHash(bytePassword);

//Add the 2 clear-text salts to the hash itself.
String * strHash = String::Concat(strPrependedSalt, pAscii->GetString(byteHash), strAppendedSalt);

AddLoginToDB(strUserName, pAscii->GetBytes(strHash));

return;
}

Description:

The given code snippet creates a new user. It takes care as in not storing the clear text password anywhere but instead stores the SHA1 hash of the users password in the database. However, one way hash functions are deterministic in nature. Given a string, the resultant hash produced by the one way hash algorithm is always the same. Using the hash algorithms alone can expose the application to “dictionary attacks”. Suppose a malicious user of the application gets hold of the user names and the associated password hashes (may be from the log file) the user can find out if there is any user who has the same password as his or if two users have the same password! Another twist to this is, if the one way hash algorithm is well known the attacker can pre-compute the hashes of all the well known passwords offline, and then employ a brute force attack to get access to the application

Filed under: Bug Squashed

Comments

# re: Spot the Bug - Dec 5, 2006

Thursday, January 05, 2006 10:36 PM by LarryOsterman

5 words: Leave Crypto to the Experts.

I surely hope you don't use this as an authentication mechanism (because there is at least one MASSIVE security hole in your "authentication" scheme - look up the word "password equivilant").

Oh, and SHA1 is deprecated because it's been broken (which is probably the but you intended to show).

For more details on how this "authentication" scheme can be cracked, see: http://web.mit.edu/kerberos/www/dialogue.html

# re: Spot the Bug - Dec 5, 2006

Thursday, January 05, 2006 11:21 PM by geoff.appleby

This C++ stuff is too weird for me, but using my VB and C# knowledge, is this it?

CUserManager objUsrMgr;

Shouldn't it be:

CUserManager * objUsrMgr = new CUserManager();

# re: Spot the Bug - Dec 5, 2006

Thursday, January 05, 2006 11:49 PM by lurch

The bug is that you are mapping a unicode string into ASCII encoding. All non-ascii characters will not map, be lost and get turned into the '?' character (see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemtextasciiencodingclasstopic.asp for an example).

In this exact example, it will work fine since the password is all ascii anyway. But if you had an "international" password, you'd have a vulnerability. Wouldn't that be great if everybody's password from China was "????????" :)

# re: Spot the Bug - Jan 5, 2006

Friday, January 06, 2006 7:42 AM by Anubhav

1. void AddLoginToDB(String * strUserName, Byte bytePasswordHash[]);
This is unnecessarily a public function. It might as well be private and reduce the ASR (attack surface area) as per Howard's article

2. How does AddLoginToDB know what length of data to access from byteHash since this may not be null terminated? We need to pass the length of the computed hash bytes also to the function.

# re: Spot the Bug - Jan 5, 2006

Friday, January 06, 2006 7:44 AM by Anubhav

Additionally the new'ed memory is not being deleted.

# re: Spot the Bug - Jan 5, 2006

Friday, January 06, 2006 10:45 AM by DaveAronson

Geoff: no, that's not necessary; he could do either "Foo foo; foo.bar();" or "Foo * foo = new Foo(); foo->bar();".

Anubhav: byteHash is not a string but a sequence of bytes, emitted by a hash function. Since the function used is hardcoded (as opposed to, say, using the Strategy pattern), it is of a specific length. Presumably, the stuff called by AddLoginToDB knows how long it's supposed to be. (Fragile and inflexible design IMHO, but not necessarily an outright bug.) You are correct on the lack of freeing and method publicness, but I don't think those are what he's after.

Larry: Hmmm, could be what he's after, but that's more of a design flaw than a bug in the implementation sense. We also don't know what other steps may be involved in his authentication, nor whether what he's protecting is really worth additional steps. Also, did I know you in school? If so, email me from my web site!

All in all, methinks Lurch got it.

# re: Spot the Bug - Jan 5, 2006

Friday, January 06, 2006 1:43 PM by Justin

I am nwe at this, just learning C, but shouldnt this:

class CUserManager
{
public:
void CreateLogin(String * strUserName, String * strPassword);
void AddLoginToDB(String * strUserName, Byte bytePasswordHash[]);
};

look like this
class CUserManager
{
public:
void CreateLogin(String * strUserName, String * strPassword);
void AddLoginToDB(String * strUserName, Byte bytePasswordHash[]);
}

(just removed the trailing sam)

# re: Spot the Bug - Jan 5, 2006

Monday, January 09, 2006 8:30 AM by Roger Butler

From a security perspective, the largest problem here is that all users that have the same password, will have the same hash. This approach lends itself to a dictionary attack and therefore is very weak for authentication. At a minimum, a random salt value should be hashed with the password and each user should have a unique salt value. (A salt value is a sequence of random bytes.) It is recommended that the salt value be at least 8 bytes long for a decent attack mitigation.

# re: Spot the Bug - Jan 5, 2006

Monday, January 09, 2006 8:31 AM by Dan

I always check for NULL when I allocate memory. And as Anubhav pointed out, the "new"ed memory is never "delete"d, so this seems ripe for a DoS attack.

# re: Spot the Bug - Jan 5, 2006

Monday, January 09, 2006 10:27 AM by Michael

i agree with that previous comment:
"From a security perspective, the largest problem here is that all users that have the same password, will have the same hash."

As this is all managed Code there are no problems with "delete" or buffers, but checking and limiting the length of the input strings would be a good idea anyway.

# re: Spot the Bug - Jan 5, 2006

Monday, January 09, 2006 10:44 AM by Rick Scott

I will agree with the sentiment "hash goes better with a bit of salt."

# re: Spot the Bug - Jan 5, 2006

Monday, January 09, 2006 11:54 AM by Chris

Justin:
No. C++ class declarations need a semi-colon after them. Leaving it out results in some weird compiler error messages (in my experience).

Never seen it called a sam before, though.

# re: Spot the Bug - Jan 5, 2006

Monday, January 09, 2006 12:17 PM by steveb

This question, like most of its type, is difficult to answer because we don't have any context. This forces us to speculate about the rest of the application, which noises up the discussion something fierce.

I'd guess that the folks who are talking about the salt are going in the direction the author intended. But that's just a guess.

Anyway, I can't resist junking up the discussion myself... What if the hackers had access to the executable file? Then they could run a simple strings program on the executable to find "newuser" and "password" directly. Or perhaps they even have access to the source, which could make their life even easier.

It seems possible that the intent of this program is to create a default account during the initial setup of the broader application. Default accounts are classic vulnerabilities.

# re: Spot the Bug - Jan 5, 2006

Monday, January 09, 2006 2:06 PM by Mark

I agree with above. We need to know the context of what we are looking at. Quite a few people have commented that the Username/Password is static and that SHA1 is not collision free, but these are implementation problems and not what would classically be defined as "bugs". Obviously this is playing simantics, but I think bug in this scenario is meant as a logical problem with the code itself. The only one I have found was mentioned earlier. The void
AddLoginToDB(String * strUserName, Byte bytePasswordHash[])
function is public so a consumer of this class could add an unencrypted password to the database. Attempts to use that login would fail since apps using this db would encrypt the password when attempting to login.

-Mark

# re: Spot the Bug - Jan 5, 2006

Monday, January 09, 2006 3:46 PM by Ahmed Amer

I think that the functions "CreateLogin, AddLoginToDB" should have a way for telling the success or failure of them i.e(declaring the functions as bool return value).
If the any function fails, the user could not log to his account, but as above his account was assumed created.

# re: Spot the Bug - Jan 5, 2006

Monday, January 09, 2006 4:16 PM by Hiren Patel

Ok this seems too obvious but here it goes anyways.

You are using Managed Types within an unmanaged class. You would either have to
1) make CUserManager __gc class and make objUserMgr a pointer.
OR
2) change the function signatures of CUserManager to only use unmanaged types, not use any managed types in the functions. You will also need to convert the managed strings to unmanaged data in the main function.

# re: Spot the Bug - Jan 5, 2006

Wednesday, January 11, 2006 7:09 AM by James

i agree with lurch. Here it use a ASCII encoding, if the password is Chinese, it won't works well. i guess this is what the author means

# re: Spot the Bug - Jan 5, 2006

Wednesday, January 11, 2006 7:20 AM by Michelle Jackson ( a.k.a. Michael Jackson)

ha ha ha hi hi heeeee

# re: Spot the Bug - Jan 5, 2006

Thursday, January 12, 2006 6:27 AM by Rich

Mark, SHA-1 is still collision free (as much as it can be) but the hash space is lowered now thanks to Wang and others - this is not readily exploitable in this context without a lot of effort though (and time!). SHA-256 would be a better approach though. Increasing the input size and randomness through a random salt for each user would be a good way to go though.

# re: Spot the Bug - Jan 5, 2006

Thursday, January 12, 2006 8:43 AM by KC

There isn't quite enough context so I'll make some assumptions. I'm assuming that _tmain is a test case for the methods CreateLogin and AddLoginToDB, and that those two methods are supposed to handle more than the single hardcoded user name and password. Moreover, I have to assume there is an app that is using the login data.

CreateLogin isn't doing any sort of validation for legal characters. It's vulnerable to a username containing SQL special characters or HTML. This by itself isn't fatal, if the app is 100% perfect in treating data from the database like data, and not getting it mixed up in the control flow. Apps tend not be perfect this way, and so one of the apps using this data is probably vulnerable to SQL Injection or cross-site scripting attacks. In other words, imagine the home page says "Welcome <username>" and neglects to HtlmEncode the username it fetched from the database.

KC

# re: Spot the Bug - Jan 5, 2006

Thursday, January 12, 2006 11:30 AM by Darren

I could create an account with a known password and copy the password hash from my account to another, access the account, copy the old hash back and no one would be the wiser.

I use the account name & password for the hash.. not perfect but much harder to abuse. Unicode should also be considered.

# re: Spot the Bug - Jan 5, 2006

Sunday, January 15, 2006 2:49 AM by cray

well I think that both the methods of the class are of void and still we are using return in both of them

# re: Spot the Bug - Jan 5, 2006

Sunday, January 15, 2006 2:55 AM by cray

i don't think that there is any check being made if the newuser name supplied already exists in the database .

New Comments to this post are disabled

Spot the Bug!

Search

Tags

News

Archives

Spot the Bug - Jan 5, 2006

Comments

# re: Spot the Bug - Dec 5, 2006

# re: Spot the Bug - Dec 5, 2006

# re: Spot the Bug - Dec 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006

# re: Spot the Bug - Jan 5, 2006