In association with heise online

13 February 2009, 11:49

Typo3 hole leads to boom in hash cracking

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The operators of the site have recorded a "boom" in people using the online service to crack MD5 hashes. Over the course of two days, the number of accesses rose ten fold. It's presumed that this increase is in connection with the recently disclosed critical vulnerability in the Typo3 content management system. If an attacker, using the vulnerability, obtains the hashed version of an administration password, the site may be able to give them the plain text version of the password, allowing them to take over a site. A number of sites have been attacked in this way, including the site of the German interior minister.

Adjusted access statistics showing a rapid growth in use
Adjusted access statistics showing a rapid growth in use

Since the hashes in Typo3 did not use a salt (a random set of characters added to the password to thwart hashing attacks) the passwords can be determined by using rainbow tables, within anything from a matter of minutes, to a few days. Rainbow tables ability to reveal an unsalted password depends on the range of characters and length of the password. The longer the password, the bigger the table, up to a size of several hundred gigabytes. The creation of rainbow tables can take many months on specialised hardware, but once created, they can be applied to all unsalted hashes.

Other sites such as milw0rm and GDataOnline offer such hash cracking services for the various hash types used, including Microsoft's NTLM and LM hashes and SHA1. For example, offers free rainbow tables to download for various types of hashes and passwords.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit