what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

secureURL.php Design Flaws

secureURL.php Design Flaws
Posted Sep 22, 2011
Authored by G. Pek, B. Bencsath, BME CrySyS Lab, L. Buttyan

Design flaws make it possible to find out hash of the secret used for URL generation in secureURL.php version 2.0. The problem enables malicious parties to calculate checksum over fabricated URL parameters. The design flaws render the system ineffective against attacks and gives a false sense of security.

tags | advisory, php
SHA-256 | 2bac6017745b6a2c0260aed056b9e2dfa6f9642bd68c12696537a9e5fa1695a9

secureURL.php Design Flaws

Change Mirror Download
CrySyS Lab Security Advisory - secureURL.php design flaws

Affected Software: secureURL 2.0 by Nguyen Quoc Bao
URL e.g.
http://www.phpclasses.org/package/2556-PHP-Encrypt-the-parameters-passed-in-link-URLs.html

Product description:
secureURL encrypts URL parameters and additionally protects it by
checksum, thus an attacker
cannot see the 'real' GET parameters of the website and disables
malcious parties to fabricate
modified URL parameters. The checksum protection is optional.


Vulnerability: Design flaws make it possible to find out hash of the
secret used for URL
generation. The problem enables malicious parties to calculate checksum
over fabricated URL
parameters. The design flaws render the system ineffective against
attacks and gives
only false sense of security.

Found by: BME CrySyS Lab, B. Bencsath, L. Buttyan, G. Pek; www.crysys.hu

1. Problem description

1.1. Decryption attack by known cleartext-ciphertext pairs

secureURL.php encryption mechanism for URL parameters uses simple XOR
operation for
protecting URLs. The key used for the XOR is the md5 sum of the user
defined key.
The parameters are passed in Base64 format.

In function crypt($text,$key):

$key = md5($key);
...
($crypt .= chr(ord($text[$i]) ^ ord($key[$j]));

The usage of XOR makes the system prone to basic attacks. Let's consider
a known crypt URL.
The attacker can educated guess or by other means (access to source
code, other side channels) can
find the cleartext parameter pair for the known crypt URL thus a known
cleartext-ciphertext pair is
available to him or her. Because of the properties of the XOR operation,
the attacker can easily
calculate the values of the key buffer (the value of the md5 sum of the
key).
$key[$i]= chr(ord($crypt[$i])) ^ chr(ord($text[$i]);
Of course, the original key cannot be recovered by this, but any other
URL can be decrypted by this
information.

1.2. Attacks against checksum protection if hash of the secet is known

In 1.1. the attacker can identify the hash of the key, but not the hash
itself.
However, due to the another design flaw, the information about the hash
of the key is enough
to falsify or fabircate URL parameters.

The corresponding PHP code for the operation in function hash($text) is:
return dechex(crc32(md5($text) . md5($this->key)));

If md5(key) is known, and it is from attack 1.1, then the attacker can
construct
proper "hash" for any fabricated URL in this step without knowing the
original key itself.

1.3. How long URL is needed for attack 1.1?

The XOR uses only the hex string representation of the MD5 hash of the
string, therefore it is
32 characters long but each character represents only a nibble (4 bits)
of the hash. Therefore,
for obtaining all the bits of the key at least 32-byte long
cleartext-ciphertext pair is needed.
If the URL is longer than 32 bytes, then the encryption reuses the same
key string.

1.4. What if parts of the key is missing

It can happen, that parts of the known cleartext-ciphertext pair is
missing as the attacker does not
have anough information on that (e.g. last 2 bytes or such).
Considering that the attacker cannot guess some bits, but the checksum
function is in use,
the attacker can go for a brute-force search for the missing bits. The
search ends if the resulting
checksum is correct for the case and the server accepts it. By this
technique, the missing bits can
be found and used up onwards.

2. Fix

To fix the solution, a redesign should be done. Instead of XOR and
CRC32, cryptographycally secure
functions should be used (AES, SHA-256), and design should consider
attacks. A variety of schemes
are availale in related books. The MD should not be based on the same
key as the encryption. They
can be originated from the same secret, but with proper technique. For
hash, a shortening of HMAC
scheme can be considered. The key should not be the same that is used
for encryption.

3. History

The problem was discovered during security analysis of a real-life
system. The author is notifyied
simultenaously with this advisory.

--
Boldizsar BENCSATH
Laboratory of Cryptography and Systems Security
http://www.crysys.hu/
Budapest University of Technology and Economics
Tel: +36 1 463 3422; Fax: +36 1 463 3263;

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close