V8 Hash Collision Generator

[Peter Martischka]

I created a bit of code to generate v8 hash collisions like described
here https://www.youtube.com/watch?v=R2Cq3CLI6H8

You can use this code to test how vulnerable your application is
against hash collision attacks. Use it for good, not evil!

https://github.com/Pita/V8-Hash-Collision-Generator

Peter

[Fedor Indutny]

Peter,

It's cool that you can do it.

But please unpublish it before `kids will start playing with a toy`.

Cheers,

Fedor.

Peter

--
Job Board: http://jobs.nodejs.org/
Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to nod...@googlegroups.com
To unsubscribe from this group, send email to
nodejs+un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en

[Benjamin Gudehus]

"My parents didn't allow me, to play with this."

2012/1/8 Fedor Indutny <fe...@indutny.com>

[Benjamin Gudehus]

Hmm, very nice. You could also attack... no, I mean test... Java, PHP, asp.not, Ruby and Python

web applications, too, as described in the presentation at chaos communication congress.

2012/1/8 Benjamin Gudehus <hast...@googlemail.com>

[Jann Horn]

2012/1/8 Peter Martischka <peterma...@googlemail.com>:

> I created a bit of code to generate v8 hash collisions like described
> here https://www.youtube.com/watch?v=R2Cq3CLI6H8
>
> You can use this code to test how vulnerable your application is
> against hash collision attacks. Use it for good, not evil!

Every minute in which you don't unpublish it is a minute in which a
scriptkiddie clones your repo. :P

[Benjamin Gudehus]

Need to correct: V8 uses a different hashing mechanism. So the testing

application is specifically tailored to test Node.js.

2012/1/8 Benjamin Gudehus <hast...@googlemail.com>

[Peter Martischka]

> Need to correct: V8 uses a different hashing mechanism. So the testing
> application is specifically tailored to test Node.js.

The hash algorithm I use is sliglty different from the v8 one. v8 is
doing some extra calculation after it did the calculation with every
character. But this extra calculation is not necessary to find
collisions

Btw I unpublished this repo now. But I don't feel like I did something
wrong. Everyone knows about this attack since days and everyone can
create code to use this vulnerabilty. So I thought the good and the
bad guys should have the code. If I didn't publish it, anyone else
would have done it

Peter

[Jann Horn]

2012/1/8 Peter Martischka <peterma...@googlemail.com>:

> Btw I unpublished this repo now. But I don't feel like I did something
> wrong. Everyone knows about this attack since days and everyone can
> create code to use this vulnerabilty. So I thought the good and the
> bad guys should have the code.

Mos of the really good and bad guys can do it themselves, yes. But
those are the ones who won't aim it at random servers for fun. On the
other hand, some scriptkiddies who are too stupid to do it themselves
might.

[Benjamin Gudehus]

Mos of the really good and bad guys can do it themselves, yes. But

those are the ones who won't aim it at random servers for fun. On the
other hand, some scriptkiddies who are too stupid to do it themselves
might.

+1

[Marcel Laverdet]

Are you guys serious? No good comes from taking this down. The exploit is already out there, reducing visibility is /counter-productive/. Peter you have my vote for leaving it up.

[Eric Muyser]

i’m 12 and what is this?

ooo, fun

seriously though, keep it open, awareness and all that

[Peter Martischka]

> Are you guys serious? No good comes from taking this down. The exploit is
> already out there, reducing visibility is /counter-productive/. Peter you
> have my vote for leaving it up.

I was waiting for something like this. Thank you, its up again

[Arnout Kazemier]

I personally would have waited until ALL security holes would have been fixed in the latest Node version.

As number collisions are still possible in node 0.6.7. This reduces the risks that it get's used as attack tool

instead of test.

[Brett Ritter]

On Mon, Jan 9, 2012 at 2:53 PM, Arnout Kazemier <in...@3rd-eden.com> wrote:
> As number collisions are still possible in node 0.6.7. This reduces the
> risks that it get's used as attack tool
> instead of test.

There seems to be this impression that there's a divide between those
clever enough to do this work and immature enough to assault with it.
I feel confident that script kiddies have had such tools for this
issue well before Peter's offering, and his offering is visible to
those that need to test/prove the issue.

While there is a chance that some small number of script kiddies did
not have an easy attack vector AND find Peter's, I find it far more
likely that those benefiting from the tool will find it.

One need not look far (*cough* 4chan*cough) to find there is a large
overlap between "clever", "willing to put forth effort", and
"juvenile", not to mention to also see that such groups cluster and
share. Ergo the benefit this gives them they don't already have is
fairly low. So compare to the benefit it gives us.

--
Brett Ritter / SwiftOne
swif...@swiftone.org