Last modified: 2012-08-25 22:36:53 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T37961, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 35961 - Password hash weakening under special circumstances
Password hash weakening under special circumstances
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
General/Unknown (Other open bugs)
1.20.x
All All
: Normal minor (vote)
: 1.20.0 release
Assigned To: Tim Starling
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-13 22:05 UTC by Platonides
Modified: 2012-08-25 22:36 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Fixing commit 76881580cd9c30681aa65b228e0757c0515bbaa5 (1.51 KB, patch)
2012-04-13 22:13 UTC, Platonides 		Details
Add an attachment (proposed patch, testcase, etc.)

Description Platonides 2012-04-13 22:05:40 UTC 
Hash comparison should always be strict.

See http://phpsadness.com/sad/47 or https://bugs.php.net/bug.php?id=54547 for a recent revival.

We have a weak comparison in MediaWiki since the hash salting rework at r35923 (461a770a6fa5b43107d204c1230721751875236b). Goes back to 1.12.2 and 1.13.

This is not as bad as it sounds, as it's still a 2^18 preimage attack, and our salting and double md5 still keeps it strong.

Moreover, only hashes with only numeric characters are affected*, so
that's 10/16 ^ 32 = 0,000000294
* The e is also recognised, but as it has to appear at the end, and makes more digits significant in the later operation, doesn't seem to alter the result significantly.


Proposed summary:
If your salted password end up being completely numeric when represented in hexadecimal
(less than 1 password per 10 millions), it is also possible to login by providing another password that only matches the first 9 bytes (instead of the full 16 ones) if it turns out to also be completely numeric with your assigned salt (which is completely unknown).
The odds of finding an equivalent password with such characteristics, over a double md5 
with an unknown salt, are really low. Even if the attacker broke into the servers and 
robbed the salts, making use of this property would require a preimage attack of a partial md5 (2^18) with the output of another md5 hash, for which a full preimage would still be needed. Breaking the hashes using conventional attacks would be easier, so this is not a critical update.
Comment 1 Platonides 2012-04-13 22:13:00 UTC 
Created attachment 10419 [details]
Fixing commit 76881580cd9c30681aa65b228e0757c0515bbaa5
Comment 2 Antoine "hashar" Musso (WMF) 2012-04-19 09:33:14 UTC 
Gerrit change : https://gerrit.wikimedia.org/r/5204
Comment 3 Antoine "hashar" Musso (WMF) 2012-04-20 06:42:34 UTC 
I do not think it is serious enough to trigger a new maintenance release.
Comment 4 Sam Reed (reedy) 2012-04-20 08:53:55 UTC 
(In reply to comment #3)
> I do not think it is serious enough to trigger a new maintenance release.

It's done, so it might aswell go into the next set of maintenance releases which fix the issues related to the security fixes in the last set of releases
Comment 5 Platonides 2012-04-20 14:46:46 UTC 
> I do not think it is serious enough to trigger a new maintenance release.

No, not by itself. It should be backported to 1.19 and other maintained branches, though.
Comment 6 Antoine "hashar" Musso (WMF) 2012-04-23 09:05:09 UTC 
Backported to release branches with:

REL1_19 : https://gerrit.wikimedia.org/r/5601
REL1_18 :  https://gerrit.wikimedia.org/r/5602
REL1_17 : https://gerrit.wikimedia.org/r/5603
Comment 7 Chris Steipp 2012-04-25 21:41:52 UTC 
So it looks like this has been fixed in all of the maintained branches and this can be closed?
Comment 8 Mark A. Hershberger 2012-04-26 15:17:42 UTC 
(In reply to comment #7)
> So it looks like this has been fixed in all of the maintained branches and this
> can be closed?

closing
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links