November 27, 2014

Python Happy to put Hash Attack Issues Behind it

(LiveHacking.Com) – The Python development team have released Python 2.7.3 and 3.2.3 to fix Python’s hash based types to make them immune to denial of service attacks as disclosed at  the Chaos Communication Congress event in December 2011. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java and Ruby.

The problem is that computer languages that use hash functions, including Python, are susceptible to collision attacks. To work effectively hash tables require a well-distributed hash function to spread data evenly across the table. The algorithmic complexity of inserting colliding elements into a table makes it possible to exhaust hours of CPU time and cause a denial of service situation. Python has two hash based types dict and set which have been changed to add randomization to the hashing of Python’s string types datetime.date, and datetime.datetime. This prevents an attacker from computing colliding keys of these types without access to the Python process.

According to the release announcement, “hash randomization causes the iteration order of dicts and sets to be unpredictable and differ across Python runs. Python has never guaranteed iteration order of keys in a dict or set, and applications are advised to never rely on it.”

The new versions of Pthyon also update the expat XML parsing library which had the same hash security issue. The hashing algorithm used in the expat library is now randomized.

The update also fixes some other security related bugs:

  • Issue 14001 / CVE-2012-0845 – A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.
  • Issue 13885  / CVE-2011-3389 – Disabling of the CBC IV attack countermeasure in the _ssl module.

The team also released Python 2.6.8 and Python 3.1.5 as security-fix source-only releases. 2.6 and 3.1 are now in security maintenance mode only with no new bug fix releases planned. The Python development intend to provide source-only security fixes for the Python 2.6 series until October 2013 (five years after the 2.6 final release) and  for the Python 3.1 series until June 2014 (five years after the 2.6 final release).

Microsoft Patches More Than Hash Table Collision Problem With .NET Update

(LiveHacking.Com) – Microsoft has released a “Critical” out-of-band update for .NET which fixes an elevation of privilege vulnerability in .NET across all supported versions of Windows. Microsoft’s prime reason for releasing the update was to address the newly disclosed denial-of-service vulnerability affecting a range of Web development languages including Microsoft’s ASP.NET, however the update also included fixes which were already committed to the code base.

Before details of the hash table collision denial-of-service vulnerability were released, Microsoft had planned to release a .NET security update addressing three vulnerabilities, one of which was a Critical elevation of privilege vulnerability. Once they received the notification about the elevation of privilege vulnerability the ASP.NET team fixed it and tested it ready for the next security update. Therefore the hash table collision update includes the already committed privilege elevation.

The elevation of privilege vulnerability, which was privately reported to Microsoft, is exploited when an unauthenticated attacker sends a specially crafted web request to the target site. If successful the attacker can take any action in the context of an existing account on the ASP.NET site, including executing arbitrary commands. However to exploit this vulnerability, an attacker must be able to register an account on the ASP.NET site, and must know an existing user name. The fix changes the way the .NET Framework handles specially crafted requests, and how the ASP.NET Framework authenticates users and handles cached content.

This security update is rated Critical for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows.

Microsoft First to Patch Universal Hash Table Collision Vulnerability with Out-of-band Update

(LiveHacking.Com) – Security Researchers have exposed a flaw in the way the popular Web programming languages (like PHP, ASP.NET and Python) handle hash table collisions resulting in huge CPU usage and a subsequent denial of service. The discoveries were announced yesterday (Wednesday) at the Chaos Communication Congress event in Germany. The flaw is industry-wide and affects many popular web technologies including PHP, ASP.NET, Java, Python, Ruby, Apache Tomcat, Apache Geronimo, Jetty, and Glassfish, as well as Google’s open source JavaScript engine V8.

Although hash collision denial-of-service attacks have been discussed since 2003, Alexander Klink and Julian Wälde have now shown that many programming languages use hash tables while parsing POST forms to make them easily accessible by application developers. And so it is possible for an attacker to send a small number of specially crafted posts to a server, causing high CPU utilization and creating a denial of service condition.

“If the language does not provide a randomized hash function or the application server does not recognize attacks using multi-collisions, an attacker can degenerate the hash table by sending lots of colliding keys. The algorithmic complexity of inserting n elements into the table then goes to O(n**2), making it possible to exhaust hours of CPU time using a single HTTP request” write the pair in their advisory.

Microsoft have been one of the first to respond to this issue with several announcements including  Security Advisory 2659883 and an advance notification for an out-of-band security update to address the issue. The release is scheduled for today, December 29, at approximately 10 a.m. PST.

According to Microsoft’s security advisory this vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. Tthe .NET Framework is vulnerable from version 1.0 right through to version 4.0.

Microsoft are rating this out-of-band bulletin as “Critical” and it is likely it will will release updates for

  • Microsoft .NET Framework 1.0 Service Pack 3 (Media Center Edition 2005 and Tablet PC Edition 2005 only)
  • Microsoft .NET Framework 1.1 Service Pack 1
  • Microsoft .NET Framework 2.0 Service Pack 2
  • Microsoft .NET Framework 3.5 Service Pack 1
  • Microsoft .NET Framework 3.5.1
  • Microsoft .NET Framework 4

For Windows XP, Server 2003, Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 across Intel 32 bit, Intel 64 bit and Itanium where applicable.

The Ruby Security Team has updated Ruby 1.8.7. The Ruby 1.9 series is not affected by this attack. Additional information can be found in the ruby 1.8.7 patchlevel 357 release notes.

More information regarding this vulnerability can be found in US-CERT Vulnerability NoteVU#903934 and n.runs Security Advisory n.runs-SA-2011.004.