Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DOS exploit #37

Open
Tostino opened this issue Jan 26, 2023 · 2 comments
Open

DOS exploit #37

Tostino opened this issue Jan 26, 2023 · 2 comments

Comments

@Tostino
Copy link

Tostino commented Jan 26, 2023

Hey, just wanted to let you know I've gotten reports from users of my library: Nbvcxz that are getting a DOS every so often by specifically crafted passwords.

I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:

I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release. I just wanted to mention it to you, since this is also often run server-side rather than client-side.
@formigarafa
Copy link

formigarafa commented Jan 26, 2023
edited

Confirmed! With polynomial growth of time O(n^c) in relation to the size of the password as you mention on your tests.

[14] pry(main)> $ Zxcvbn

From: /home/me/.asdf/installs/ruby/2.5.9/lib/ruby/gems/2.5.0/gems/zxcvbn-ruby-1.2.0/lib/zxcvbn.rb:5
Module name: Zxcvbn
Number of lines: 16

module Zxcvbn
  extend self

  DATA_PATH = Pathname(File.expand_path('../../data', __FILE__))

  # Returns a Zxcvbn::Score for the given password
  #
  # Example:
  #
  #   Zxcvbn.test("password").score #=> 0
  def test(password, user_inputs = [], word_lists = {})
    tester = Tester.new
    tester.add_word_lists(word_lists)
    tester.test(password, user_inputs)
  end
end
[15] pry(main)> Benchmark.realtime { Zxcvbn.test "4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/" }
=> 2.2909809999982826
[16] pry(main)> Benchmark.realtime { Zxcvbn.test "4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/" * 2 }
=> 9.578882999994676

Thank you for letting people know, @Tostino 😊

If you don't mind I would really appreciate it if you could drop a copy of this note on formigarafa/zxcvbn issues.

Update:
Improved process time, now linear O(n) instead of polynomial O(n^c) on formigarafa/zxcvbn released new version 0.1.9 of zxcvbn gem

@Tostino
Copy link
Author

Tostino commented Jan 26, 2023

No problem, will make a similar report over there. I've been trying to hit all the major forks with relevant issues today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@formigarafa @Tostino