Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Typo3 Default Encryption Keys

typo3Typo3 Default Encryption Keys [Proof of Concept]

As detailed in the “Typo3 – Encryption Key” vulnerability announcement (Typo3-sa-2009-001) the Proof of Concept code used for re-creating the default Typo3 encryption keys, as well as offline  Dictionary attacks against Typo3 encryption keys can be found below. A new Python script is also available for download that performs both attacks against known Encryption Keys, as well as Dictionary based attacks. The Python script can also be used to create a valid malicious URL using the recovered Encryption Key.

The video is bet viewed in HD quality, you can click through on the video above, or use the shortcut below to directly access it on the Vimeo site.

NOTE: These PoC scripts are designed to display the vulnerability and not be used in unathorised hacking of Typo3 systems.

Python Typo3 – Encryption Key Tool (version 1.22)

This PoC python script can be used to perform offline an dictionary attack attempts against Typo3 servers. The python script takes a URL as input and attempts to discover the Typo3 Encryption Key using the known default keys (1000), as well as dictionary style attack (using a user defined dictionary). If the encryption key is recovered the script will also give the user an option to create a malicous link with a newly created (and valid) MD5 hash. Information is required from a valid Typo3 showpic.php to perform this attack.

NOTE: Version 1.22 corrected a slight typing mistake in the attack string creation portion of the script. bodytag should be bodyTag, small but fatal error when trying to match an MD5 😉

Outdated: Shell Script – Typo3 – Encryption Key Dictionary Attack script

This PoC shell script can be used to perform an offline dictionary attack against Typo3 servers. Information is required from a valid Typo3 showpic.php to perform this attack. –> This method is outdated. Please see the Python script above as a replacement to this script.

Outdated: Shell Script – Typo3 – Default Encryption Key Generator

This PoC shell script creates an output of all possible default encryption keys (based on Typo3 4.2.3) –> This method is outdated. Please see the Python script above as a replacement to this script.

Typo3 – Default Keys (Typo3 <version 4.2.3)

This file contains a pre-compiled list of default encryption keys (based on Typo3 4.2.3).

Advertisements

14 responses to “Typo3 Default Encryption Keys

  1. Pingback: Typo3 Weak Encryption Key « Ramblings of the änal security guy

  2. Jim July 15, 2009 at 20:13

    Thx for the demonstration! But what version of Python is requiered for the script? I tried 2.5,2.6 and 3.1…. I always get some error, it seems that that the script could not split the string. The best version with the less errors was 2.5. greetings jim

  3. ChrisJohnRiley July 16, 2009 at 15:54

    Hi Jim,

    Glad you liked the demo/tool. It was developed using Python 2.5.1 and tested on Debian / SuSE and Backtrack 3. Can you give me details of the error message and I’ll see if I can troubleshoot.

    The URL should look something like this .:

    http://localhost:8503/index.php?eID=tx_cms_showpic&file=uploads%2Fpics%2Fjonathan.jpg&width=800m&height=600m&bodyTag=%3Cbody%20bgcolor%3D%22black%22%3E&wrap=%3Ca%20href%3D%22javascript%3Aclose%28%29%3B%22%3E%20%7C%20%3C%2Fa%3E&md5=78f4d21442cb4dc8281f6585adaee960

    If you take a look into the script it’s pretty easy to see what it’s doing.

    Checkout http://storage.c22.cc/TYPO3-InsecureRandomness.txt for a breakdown of the problem if you’ve not already seen it.

  4. Jim July 18, 2009 at 18:19

    Hi Chris,

    thank for your answer! I have alrady looked in this script, and I see what it is doing. But I’m not able to find the mistake…
    Now I tried it with 2.5 on WinXP. I used the command: python TYPO3EncKeyTool.py –default –url http://mydomain.de/index.php?eID=tx_cms_showpic&file=uploads%2Ftx_mmdamfilelist%2Ftemp_63662056a4.jpg&width=400&wrap=%3CA%20href%3D%22javascript%3Aclose%28%29%3B%22%3E%20%7C%20%3C%2FA%3E&md5=0602930af0dd42d6d998080e120a848e

    He splits the first part of the url right (“http://mydomain.de/index.php?eID=tx_cms_showpic”
    then he writes: “Test string: <… BRUTE FORCE …."
    the "Desired MD5: "
    "Beginning defaul Entcryton Key attack
    Default Hash not found.

    The Command "file" is worng or could not be found.
    The Command "width" is worng or could not be found.
    The Command "warp" is worng or could not be found.
    The Command "md5" is worng or could not be found.

    "

  5. ChrisJohnRiley July 18, 2009 at 18:35

    Ok, I think the issue is that you need to put the URL between single quotes ‘ ‘ to get it fully into the script. If you don’t then it will get splitup into seperate commands due to the pipe and ampersand symbols.

%d bloggers like this: