Boardunity & Video Forum - Meine Nachricht zur Sicherheit von phpBB in deren Forum gelöscht

Hallo!

Ich habe im phpbb.com Forum eine Nachricht über die Sicherheit von phpBB geschreiben die sich vorallem auf die md5-hashes bezieht.
Diese wurde ohne Kommentar gelöscht obwohl ich darauf hingewiesen habe das dies keine Lücke ist sondern ein prinzip-Fehler.
Außerdem habe ich auch die Forenregeln genau gelesen.

Zumindest wurde der Bugreport zu phpBB Versoin 2.2 nicht gelöscht.

Ich schreibe hier nochmal die Kopie davon aber leider ist sie in englisch. Ich kann es notfalls auch übersetzen.

Betreff: Why md5-hashes are not secure.

Zitat:

Ok first of all i think this is NOT a real secuity-hole.
It is a common problem that i want to describe. It took me the whole day to write and test it so please do not delete my message.

Many people think that md5-hashes make phpBB totally secure. You can also believe that the earth is flat!

I was really shocked that phpBB version 2.06 stores the password-md5-hash in cookie if you use permanent login.
Source:

http://www.securityfocus.com/archive/1/345872

Zitat:

I was able to obtain my board administrator MD5 password hash. Armed with this hash an attacker could modify his cookie accordingly and log in as administrator without having to decode the hash.

I have also checked that myself and it is true.

Do want to know why I am shocked?

I will describe how to gain root-access on Servers:

Requires: Admin of a phpBB forum use a insecure browser (like Microsoft Internet Explorer) and useage of permanent login

Steps:
1) Use a (new) security hole from the browser and stel the md5-hash from cookie.
It should be easy for Microsoft Internet Explorer because there are frequently serious holes spotted.
E.g. that one that allow to execute any code and there was no patch for it until 26.11.2003 or so.
In german:
http://www.heise.de/security/news/meldung/42359
Found by:
Liu Die Yu http://clik.to/liudieyu

2) Use the cookie to log in and execute code to get local access.

3) If step 2 this failes you can also bruteforce your MD5/MD4 hashes and try the password as login for phpBB or elswhere (e-mail account and so on).

4) Use local root-exploit.
E.g. the ptrace exploit if you still have a unpatched Linux running.
Or you maybe get the/a new unknown-one:

Zitat:

I believe that there was an as of yet unknown local root
exploit used to go from having local unprivileged access to having
root.

http://lists.debian.org/debian-devel.../msg00012.html

Solution for authentication-systems: do not/NEVER use the MD5-password-hash for cookie.
Bugreport for phpBB version 2.2: http://sourceforge.net/tracker/index...85&atid=580201

Now i want to tell you why you can forget that md5-passwords are one-way or secure.

Most (i hope) know at least there is a "password-cracker" that supports md5:
John the Ripper password cracker
http://www.openwall.com/john/

Ok if you ever have used it you know that it is very slow if you run a brute-force attack from a md5-hash.

Only a few people I think know MDcrack!
I have found that link in heise.de forums some time ago.
http://mdcrack.df.ru/
If you have a Password with default charset (abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLM NOPQRSTUVWXYZ) that is 5 characters long it only takes a few seconds to get it!

See also:
http://mdcrack.df.ru/pf.html

What happen to user that use everywhere the same password?

An attacker could gain very fast access to all your accounts. Email, Ebay and maybe online-banking.
Even if you use different usernames it is normally easy e.g. with searchengines to find out nearly everything.

Solution for phpBB: log out, use the password-forgot link on login page and you will get a new password. Do that everywhere. But this solution is only good if your PC and your email program is secure or if you write all passwords down.