LEAKFREE-2014-009 / OSVDB-115642

HumHub UserPassword.php validatePassword() Password Hash Comparison Brute-force Weakness

[+] OSVDB-ID: OSVDB-115642
[+] LF-ID: LEAKFREE-2014-009
[+] CVSS: 7.0
[+] Vendor: HumHub
[+] Product: HumHub
[+] Versions affected: 0.10.0-rc1 and earlier


The validatePassword() function located in '/protected/modules_core/user/models/UserPassword.php' is vulnerable to a so-called a so-called 'type juggeling' attack [2, 3, 4]:

if ($this->password == $this->hashPassword($password))

Here a hash of the user-supplied password gets compared to the stored hash in an insecure manner, since PHP's loose type comparison operators compare only data values but not their associated types, deriving variable types from context. PHP's string conversion rules [5] specify strings (when evaluated in a numeric context) with leading decimal, hexadecimal, infinity, NAN or radix (a '.') data optionally followed by an exponent are evaluated as floats. What this means is that a string like 00e13242 is cast to 0 and as such, to PHP 0e94323 == 00e19384. When given two different passwords, with different hashes, such as:

$a = md5('240610708'); // = 0e462097431906509019562988736854
$b = md5('QNKCDZO'); // = 0e830400451993494058024219903391

They are considered identical when compared in the following manner:

var_dump($a == $b);

This allows an attacker to easily build a dictionary of passwords whose hashes result in float type conversions to greatly reduce their bruteforce keyspace against stored hashed passwords of the format 0+[eE]\d+. In addition, Humhub versions 0.10.0-rc.1 and prior allow users to directly reset the password of any account without any verification (see OSVDB-115643). An attacker can thus send a large number of password reset requests for any account until the resulting, randomly generated, hashed password is of the format 0+[eE]\d+ and is thus covered by the dictionary.


Upgrade to the latest HumHub release [6]


1. http://humhub.org

2. http://phpsadness.com/sad/47

3. http://turbochaos.blogspot.nl/2013/08/exploiting-exotic-bugs-php-type-juggling.html

4. http://en.securitylab.ru/lab/PT-2012-29

5. http://php.net/manual/en/language.types.string.php#language.types.string.conversion

6. https://github.com/humhub/humhub/releases


Voor meer informatie of een vrijblijvende offerte kunt u contact met ons opnemen via contact@leakfree.nl (PGP)