Show Notes

189 - Compromising Azure, Password Verification Fails, and Readline Crime

Some malformed hashes will “validate” with any value compared using password_verify. This is due to an old hack in PHP’s Blowfish implementation where a malformed hash with a $ character in the salt segment result in an early break and bad following logic.

A bug in the readline library used in this case by chfn (change finger). They noticed that readline could take an INPUTRC environment variable for configuration data, which would get parsed line-by-line. What’s interesting is if the parser encountered an error, it would dump the contents of that line to error. Lines that would cause errors include lines that start with quotations but don’t have a terminating one, lines that start with a colon but have no whitespaces or nulls, or most notably lines that don’t contain spaces or colons. The final case could be used to leak any PEM-encoded data like SSH keys, or in the POCs case, /etc/shadow contents.

A vulnerability in haproxy’s HTTP header parsing due to accepting empty header field names. The HPACK and QPACK decoders use a null field name to terminate the end of a list of headers. By intentionally passing a null field name, you can potentially get headers dropped from making their way to the backend, including host, upgrade, content length, transfer encoding, or other sensitive headers. HTTP2 and HTTP3 are mitigated due to the lack of using things like content length or transfer encoding, and effectively it’s as if the client just never sent those headers. On HTTP1 though, this could be leveraged to trigger a smuggling scenario.