Slashdot Mirror

← Back to Stories (view on slashdot.org)

13-Year-Old Password Security Bug Fixed

Posted by timothy on from the not-13-year-old's dept.

arglebargle_xiv writes "In a sign that many eyes don't really make (security) bugs shallow, a thirteen-year-old password-hashing bug that affects (at least) PHP, some Linux distros (Owl, ALT Linux, SUSE), and a variety of other apps has just been patched. This problem had been present in widely-used code since 1998 without anyone noticing it." Better late than never; reader Trailrunner7 points to this article outlining the dangers of old exploits, given old code for them to toy with.

30 of 130 comments (clear)

  1. At least it was fixed by mangu · · Score: 3, Interesting

    How many bugs are there in commercial software that we don't know?

    What we do know is that there are many exploits for commercial software. The vendors claim that such exploits only exist because that software is more popular, but this does not explain why Apache doesn't have four times more exploits than IIS

    1. Re:At least it was fixed by LordLucless · · Score: 4, Insightful

      Uh-huh. Because "In a sign that many eyes don't really make (security) bugs shallow" is such an unbiased opening for the story.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    2. Re:At least it was fixed by Anonymous Coward · · Score: 4, Insightful

      And why is that not a reasonable opening for the summary?

      Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

      The correct answer for what makes a product secure: Proper coding practices combined with proper configuration.

      IMO, Apache is certainly a better choice for a web server, but my opinion is not based on that fact that it is open source and instead based on the fact that it is actually more secure than IIS. Apache appears to be less often compromised, therefore I trust it more. However, if IIS one day holds the mantle of least compromised, then I will certainly consider it (I'm holding my breath though).

    3. Re:At least it was fixed by XanC · · Score: 4, Informative

      Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

      No, it isn't. In order to reach that conclusion, you'd have to compare it against closed-source code. Do you really believe there aren't now and have never been bugs that old in the closed-source world?

    4. Re:At least it was fixed by LordLucless · · Score: 2

      Isn't the 13 year existence of a security bug in open source code a valid argument that open source does not really mean a product is more secure?

      (Emphasis added)

      Not unless you have some measurement of non open-source code against which you can compare. Which the OP pointed out . And you (or some other AC, can't really tell you guys apart) flamed him for.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
    5. Re:At least it was fixed by MobileTatsu-NJG · · Score: 3, Insightful

      How many bugs are there in commercial software that we don't know?

      Heh.

      Monday:

      "Really old bug finally patched in some popular Microsoft software!"

      This shows how terrible proprietary software is!

      Tuesday:

      "Really old bug finally patched in some popular OSS!"

      This shows how terrible proprietary software is!

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    6. Re:At least it was fixed by Requiem18th · · Score: 3, Interesting

      In all fairness, software is only as secure as the culture behind it. Everybody using PHP knew of this bug for ages, just, nobody gave a damn. Except those who didn't know that also didn't give a damn.

      PHP has never been crazy about security, what else do you expect from a runtime that once let you insert arbitrary variables into the script namespace?

      The few people using PHP who care about security that much are using DIY password management anyway.

      --
      But... the future refused to change.
  2. Not unprecedented by slimjim8094 · · Score: 2, Interesting

    http://www.osnews.com/story/19731/The-25-Year-Old-UNIX-Bug

    These kinds of stories make me nervous, because I always assume that crackers know about these and are using them secretly.

    Though this is obviously not a OSS issue. Were this Windows, it might not have been found at all.

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    1. Re:Not unprecedented by blair1q · · Score: 2

      I always assume that crackers know about these and are using them secretly.

      And when caught at it publish everything they have and blame you for not securing your system.

    2. Re:Not unprecedented by joabjon · · Score: 2

      Certainly not unprecedented:
      17-year-old issues in NTLM not many people know about (now fixed)
      http://www.ampliasecurity.com/research/OCHOA-2010-0209.txt
      http://www.ampliasecurity.com/research/NTLMWeakNonce-bh2010-usa-ampliasecurity.pdf

    3. Re:Not unprecedented by satuon · · Score: 2

      If crackers were using them a lot and there were viruses in the wild that were using them, then people would have quickly found out about those bugs and patched them. I think the reason they stayed hidden for such a long time was nobody really exploited them.

    4. Re:Not unprecedented by daid303 · · Score: 2

      If you read the report, you'll notice that the bug introduces a slight incompatibility and a slight reduction in password strength if you use the 8th bit (read none-latin) characters. With blowfish (one of the many possible hash functions)

      Yes, it's a bug. Yes, it needs to be fix. No, it's not OMG we're going to be pwned!

  3. A 13 Year Old Bug ... by WrongSizeGlass · · Score: 2

    A 13 year old bug is no match for a 13 year old hacker.

  4. Re:hmmm by arth1 · · Score: 2

    Also proof that security through obscurity works.

    Evidence, perhaps, but certainly not a proof, unless you can prove that black hats haven't exploited this in the last 13 years.

    Contrary to popular belief, most black hats aren't in it for the fame, but for other reasons including personal satisfaction, thrill and in some cases monetary gains. And when you're not in it for the fame, you don't disclose what you've found -- you guard the secret carefully so you can continue to exploit it. Yes, for thirteen years. I know of active backdoors far older than that.

  5. Re:hmmm by Jonner · · Score: 2

    In a sign that many eyes don't really make (security) bugs shallow

    Also proof that security through obscurity works.

    How is this proof of that? For all we know, crackers have been exploiting this vulnerability for years.

  6. crypt_blowfish by TopSpin · · Score: 4, Informative

    The common thread among these systems (PHP, (Open)SUSE, etc.) is the use of crypt_blowfish, a flawed implementation of the blowfish hash function. Constructing passwords that collide is easy due to a sign extension bug. A SUSE user can observe the use of blowfish in /etc/default/passwd, where the default value of CRYPT_FILES is 'blowfish'.

    To be clear, the problem is a flawed implementation; the blowfish hash algorithm itself remains sound.

    The PHP crypt() function supports several common hash algorithms including blowfish. The PHP 'documentation' implies that DES is default. Anyone care to speculate on the likelyhood of widespread blowfish use by public sites?

    --
    Lurking at the bottom of the gravity well, getting old
    1. Re:crypt_blowfish by szquirrel · · Score: 2

      Anyone care to speculate on the likelyhood of widespread blowfish use by public sites?

      Wide. Many major PHP projects have been moving toward Openwall's PHPass algorithm that uses Blowfish as its preferred hashing algorithm. Note that even with this bug it's still better than the unsalted MD5 or SHA1 hashes that most projects were using previously. Today any of those old hashes can be brute-force cracked by a $200 GPU in about a day.

      --
      Never approach a vast undertaking with a half-vast plan.
  7. Re:So if I understand this right? by blair1q · · Score: 2

    In the US maybe.

    Though, yes, it implies you're using accented characters and have blowfish as your algorithm.

    So it's a vulnerability enabled by a very small portion of a very small population.

    Which is why it lasted for 13 years with nobody caring much, except academically.

    But, if you knew you could use 8-bit characters, and you generated your passwords randomly, this could affect half of your password space. Which could be significant if your passwords were kept in compartmentalized files that themselves are accessible only to different authorized people. Bureaucracy can get very hairy, in such circumstances.

  8. Re:So if I understand this right? by Obfuscant · · Score: 2
    I read the linked comment (not much of a description there), but it does appear that it is triggered by "8 bit characters" in passwords.

    It talks about "pound sign" as the test, but claims that it is "\xa3 in C". I didn't know that C had a different definition for ASCII characters than ASCII does, and in my ASCII tables the octothorpe is 0x23. Ahh, maybe a language difference, and the "british currency symbol" is what he is referring to.

    Or maybe this points out the error of relying on non-standard characters for anything. According to my Web Design nutshell book, \&#163 is the British pound symbol, but apparently FF3 doesn't know it (or /. strips it.) Here are two in a row: -- I see nothing. That's defined in ISO 8859-1, however, and not ASCII.

    In any case, it looks like if you use standard ASCII characters in your password you are not a target for this bug.

  9. Re:Uh Oh... by JWSmythe · · Score: 2

        You know, it's weird, but ya, it'll get you traffic.

        One of the things I do is run a mainstream news site. In that, pedophiles get bused for all kinds of things. Those end up being keyword rich pages that seem to come up for all kinds of fucked up variations of what pedophiles look for. There's nothing like reviewing your logs to have an amazing disgust for society as we know it.

        There is only one thing I feel good about. On some keywords and phrases, we come up in the top 3 results. So the pedophiles may be looking for underage smut, but instead they're presented with news stories about other pedophiles going to jail.

        It seems like an acceptable solution to me. Pollute their searches with so many non-smut sites, preferably with news stories about long prison terms, or deaths by the hands of other inmates. Maybe it will help encourage them to make their best attempt at winning a Darwin Award.

    --
    Serious? Seriousness is well above my pay grade.
  10. Re:Yikes, how do you roll out a fix for that. by Firehed · · Score: 3, Insightful

    Have a setting in the tools that call it to use the legacy/broken implementation, and enable it by default in the next patch. See: MySQL old passwords. Or some sort of option that you can set on the function, similar idea.

    The better but less compatible way is to put a huge warning on the patch, telling people that if the password doesn't match, check again with the USE_BROKEN_BLOWFISH_IMPLEMENTATION flag passed into the function and if that matches, update your data with the good hash and continue on as normal. That will inevitably piss off a lot of people on shared hosting and/or unmaintained applications but from a security standpoint it's the better option.

    --
    How are sites slashdotted when nobody reads TFAs?
  11. Re:Come on, it's PHP by A+beautiful+mind · · Score: 2, Funny

    I'm an advanced slashdot user, I don't even read the summary anymore.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  12. no reason to conclude open source is not secure by binarstu · · Score: 3, Insightful

    Concluding, from this bug, "that many eyes don't really make (security) bugs shallow" is absolutely not justified. This is a single anecdote (sample size = 1), and there is no good or easy way to compare this to what would have happened had the code been closed. One could just as easily claim that if the code were not open, it would have been 10 more years before the bug was uncovered.

    1. Re:no reason to conclude open source is not secure by tangent · · Score: 3, Informative

      The famous quote doesn't apply to unidentified security flaws.

      The point of the quote is that when someone points out buggy behavior, the many eyeballs will quickly pierce to the heart of the bug and find a way to fix it. With fewer eyes, really nasty bugs often remain unfixed long past the time they are first identified because none of the brains behind the few eyeballs that have looked at it have figured out the fix yet.

      The nature of most security bugs is that their existence is not obvious. Most software with security flaws performs its intended function as long as it is run within expected bounds. There is nothing for the many eyeballs to attack until someone tries pushing the software into its operational gray areas, then notices that it does something unwanted or unexpected. As soon as that happens, the quote applies: security holes in open source software are typically fixed soon after being identified.

  13. Umm, It's not an official fix by sdguero · · Score: 4, Interesting

    It appears that whoever wrote the summary didn't read the links they provided:

    "I am going to provide an official fix for crypt_blowfish (likely the one-liner plus added tests). I thought I'd bring the issue up on oss-security sooner rather than later."

    So, the bug appears to have been found today and the developer has a one liner solution but hasn't released a patch. I think the summary did a piss poor job talking about what is affected by the problem too... specifically crypt_blowfish, which i know my company uses for a few things. It is interesting to know that this hash is now far weaker than originally thought until it gets patched (which will prolly take a long time to make it into major distros).

    Anyway, i'm done bitching, definitely a story worthy of /. I just think the summary was trying to tie in too much (old bugs blah blah) and misrepresented the impact and fix.

    1. Re:Umm, It's not an official fix by solardiz · · Score: 2

      We're getting close to an official fix, which includes a quick self-test on every use (not just by "make check"), with both 7- and 8-bit chars: http://www.openwall.com/lists/oss-security/2011/06/21/2

  14. Re:Come on, it's PHP by Firehed · · Score: 4, Insightful

    To be fair, it's hardly PHP's fault that the shared library's implementation was broken. The primary benefits of using a library (not reinventing the wheel, wisdom of many, etc.) are generally outweighed by occasionally inheriting one of their bugs. Especially since you also inherit their bugfixes. While the core PHP team is actually quite well accomplished at security (even if PHP enables any idiot to make insecure sites by virtue of being easy to learn), I'd still rather them use widely adopted libraries than come up with their own implementation.

    --
    How are sites slashdotted when nobody reads TFAs?
  15. Re:Come on, it's PHP by kat_skan · · Score: 2

    What the fuck did you expect, excellent design practices and high quality code?

    Honestly? A second function named blowfish_real_hash_string.

  16. Re:So if I understand this right? by simcop2387 · · Score: 3, Insightful

    They mean the british pound sign, not the octothorpe # . Ain't language fun?

  17. Re:hmmm by bluefoxlucid · · Score: 2

    This is a slight reduction in password strength if you're using Blowfish and have a british pound sterling sign in your password, rather than a normal password and using the standard salted MD5 hash or deliberately changing from MD5 to SHA1, which is the only likely change most people would make. It almost never happens and doesn't create an instant break when it does; it's effectively a non-issue, but you know.. if it's loose, tighten it up, I don't care if it's going to fall off or not.

    --
    Support my political activism on Patreon.