Doubt on Null Byte in Bcrypt PHP

1

Well, I learned that PHP's Bcrypt is vulnerable to Null Byte.

What tests do I have to do to see this vulnerability, and what are the constipations of this?

    
asked by anonymous 04.03.2018 / 06:29

1 answer

3

Many PHP functions are (or have been) vulnerable to null bytes, one of the biggest problems was include() , which PHP stopped when it found the null, which allowed ignoring the file extension.

In the case of BCrypt (I do not know how Argon2i works in PHP), it will use the string until it finds a null.

Then:

$hash = '$2y$10$/nX1tLiwOsGWL4MhUjfEIOBKLV.Oa/uVy7rxqxih2SeNIkCk8doEW';

echo (int)password_verify("a", $hash);
echo PHP_EOL;

echo (int)password_verify("a
password_hash("a
$hash = '$2y$10$/nX1tLiwOsGWL4MhUjfEIOBKLV.Oa/uVy7rxqxih2SeNIkCk8doEW';

echo (int)password_verify("a", $hash);
echo PHP_EOL;

echo (int)password_verify("a
password_hash("a%pre% Qualquer Coisa Aqui Será Ignorada", PASSWORD_DEFAULT)
bcde", $hash); echo PHP_EOL; echo (int)password_verify("a%pre%zzzzz", $hash); echo PHP_EOL;
Qualquer Coisa Aqui Será Ignorada", PASSWORD_DEFAULT)
bcde", $hash); echo PHP_EOL; echo (int)password_verify("a%pre%zzzzz", $hash); echo PHP_EOL;

They all return 1 , even if they are different.

This is because the hash in question was created with a null, such that:

%pre%

This is the null-byte problem. Overall it is not a big problem, since password should be set using nulls as far as I know. However, this will circumvent the minimum number of characters for a password. Because aa Qualquer Coisa Aqui Será Ignorada will be more than 10 bytes, for example, but your password will only have 1 byte ( sodium_crypto_pwhash_str ).

The solution to this is pre-hashing, but it should encode to a secure format, after all the result of a SHA-2, for example, may contain a null.

The other option may be to abandon BCrypt, you have LibSodium in PHP, I believe that these functions (specifically %code% ) have no problems.

    
04.03.2018 / 07:02