Typo3 hole leads to boom in hash cracking

The operators of the hashcrack.com site have recorded a "boom" in people using the online service to crack MD5 hashes. Over the course of two days, the number of accesses rose ten fold. It's presumed that this increase is in connection with the recently disclosed critical vulnerability in the Typo3 content management system. If an attacker, using the vulnerability, obtains the hashed version of an administration password, the hashcrack.com site may be able to give them the plain text version of the password, allowing them to take over a site. A number of sites have been attacked in this way, including the site of the German interior minister.

Adjusted access statistics showing a rapid growth in hashcrack.com use
Source: hashcrack.com

Since the hashes in Typo3 did not use a salt (a random set of characters added to the password to thwart hashing attacks) the passwords can be determined by using rainbow tables, within anything from a matter of minutes, to a few days. Rainbow tables ability to reveal an unsalted password depends on the range of characters and length of the password. The longer the password, the bigger the table, up to a size of several hundred gigabytes. The creation of rainbow tables can take many months on specialised hardware, but once created, they can be applied to all unsalted hashes.

Other sites such as milw0rm and GDataOnline offer such hash cracking services for the various hash types used, including Microsoft's NTLM and LM hashes and SHA1. For example, freerainbowtables.com offers free rainbow tables to download for various types of hashes and passwords.

See also:

• Cheap cracks - Of rainbows and dictionaries, a heise Security feature.
• Typo3 hole allows access to arbitrary files, a heise Security report.
• Typo3 hack on German Interior Minister's web site, a heise Security report.

(djwm)