Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Typo3 Weak Encryption Key

rtemagicc_typo3-logoA few months back I discovered a vulnerabilty in the core of Typo3 (versions  4.0.0 to 4.0.9, 4.1.0 to 4.1.7, 4.2.0 to 4.2.3). Now that the Typo3 security team have responded with a patch against this issue (see the official Security Note from the Typo3 security team) I can release the details of the vulnerability, as well as some proof-of-concept python scripts that I’ve been holding onto now for a while. The Typo3 Security Team were very quick to respond to the issue, and I found them very good to work with during the disclosure process. If only some larger companies were so easyto work with, and responsive.

The following announcement has been made public in co-ordination with the Typo3 Security Team.

Technical Details <— link to release information

PoC Tools <— Link to tools

For those looking for a brief overview in 100 words or less .:

The default encryption key used by Typo3 is create at time of setup using inadequate sources of entropy. This design flaw resulted in there only being 1000 possible keys. If an administrator manually changes the Encryption Key through the administrative install console, then this vulnerability can be avoided.

Alongside this flaw, Typo3 also uses the Enryption Key to create MD5 hashes to protect URL links from being manipulated (see full release information for more details and examples). In this case, the Encryption Key is the only peice of information not directly available to the end-user. This allows an attacker to perform an offline brute-force against the Encryption Key. Breaking this key could allow an attacker to form malicious URL’s containing script commands of their choice.

The PoC scripts for this are available for demonstration purposes only. Any comments are gratefully received.

Advertisements

3 responses to “Typo3 Weak Encryption Key

  1. CG January 21, 2009 at 05:12

    wow Chris, nice work!

  2. Chris Riley January 21, 2009 at 09:32

    Thanks… It’s an interesting find, but certainly not major issue. When it comes down to it, it exposes a reflective XSS flaw, and maybe some data stored using the Typo3 XOR functions (also based on the EncKey). Still, no world ending DNS vuln here.

    It’s just nice to give something back (to an open source project) and make something more secure instead of constantly breaking things 😉 That and I really enjoyed reversing the process and writing the tool(s) (my first python script, and it actually works… who’d have thought).

    Not sure what’s next… maybe I’ll keep looking at Typo3 for a while 😉

  3. Ben January 21, 2009 at 16:19

    Congrats again on this, Chris!

%d bloggers like this: