189 - Compromising Azure, Password Verification Fails, and Readline Crime
Some malformed hashes will “validate” with any value compared using
password_verify. This is due to an old hack in PHP’s Blowfish implementation where a malformed hash with a
$ character in the salt segment result in an early
break and bad following logic.
A bug in the
readline library used in this case by
chfn (change finger). They noticed that
readline could take an
INPUTRC environment variable for configuration data, which would get parsed line-by-line. What’s interesting is if the parser encountered an error, it would dump the contents of that line to error. Lines that would cause errors include lines that start with quotations but don’t have a terminating one, lines that start with a colon but have no whitespaces or nulls, or most notably lines that don’t contain spaces or colons. The final case could be used to leak any PEM-encoded data like SSH keys, or in the POCs case,
A vulnerability in haproxy’s HTTP header parsing due to accepting empty header field names. The HPACK and QPACK decoders use a null field name to terminate the end of a list of headers. By intentionally passing a null field name, you can potentially get headers dropped from making their way to the backend, including host, upgrade, content length, transfer encoding, or other sensitive headers. HTTP2 and HTTP3 are mitigated due to the lack of using things like content length or transfer encoding, and effectively it’s as if the client just never sent those headers. On HTTP1 though, this could be leveraged to trigger a smuggling scenario.