Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: encryption key

Typo3 – Screencast

I’ve thrown together a quick screencast to run through how to use the Typo3 Encryption Key tool against vulnerable installs. As always, I’m open to suggestions and comments on how to make things better in the tool as well as the blog in general. Hope you enjoy the show.

The video is bet viewed in HD quality, you can click through on the video above, or use the shortcut below to directly access it on the Vimeo site.

Typo3 Encryption Key Attack from Chris John Riley on Vimeo.

Advertisements

Typo3 Weak Encryption Key

rtemagicc_typo3-logoA few months back I discovered a vulnerabilty in the core of Typo3 (versions  4.0.0 to 4.0.9, 4.1.0 to 4.1.7, 4.2.0 to 4.2.3). Now that the Typo3 security team have responded with a patch against this issue (see the official Security Note from the Typo3 security team) I can release the details of the vulnerability, as well as some proof-of-concept python scripts that I’ve been holding onto now for a while. The Typo3 Security Team were very quick to respond to the issue, and I found them very good to work with during the disclosure process. If only some larger companies were so easyto work with, and responsive.

The following announcement has been made public in co-ordination with the Typo3 Security Team.

Technical Details <— link to release information

PoC Tools <— Link to tools

For those looking for a brief overview in 100 words or less .:

The default encryption key used by Typo3 is create at time of setup using inadequate sources of entropy. This design flaw resulted in there only being 1000 possible keys. If an administrator manually changes the Encryption Key through the administrative install console, then this vulnerability can be avoided.

Alongside this flaw, Typo3 also uses the Enryption Key to create MD5 hashes to protect URL links from being manipulated (see full release information for more details and examples). In this case, the Encryption Key is the only peice of information not directly available to the end-user. This allows an attacker to perform an offline brute-force against the Encryption Key. Breaking this key could allow an attacker to form malicious URL’s containing script commands of their choice.

The PoC scripts for this are available for demonstration purposes only. Any comments are gratefully received.