Comments (9)
Please use {n2o,[{pickler,n2o_secure}]} in sys.config for enabling AES-CBC/RIPEMD pickling.
By default N2O uses transparent proxy model.
from n2o.
Thanks :) I missed this.
Looking at the crypto it seems to be broken.
-
you use crypto:hash with a MD hash function with the secret as the prefix. this allows for hash extension attacks. (http://en.wikipedia.org/wiki/Length_extension_attack). This allows an attacker to add arbitrary encrypted blocks to the end of the message and it will still verify.
-
you have the IV specified in the message and don't calculate the MAC over the IV. CBC decryption of the first block is done by: P0 = D(C0) xor IV. The attacker is able to supply an arbitrary IV of their choice. So if attacker knows P0 (likely because we are using fixed message formats) then the attacker can set IV' = IV xor P0 xor P0' then you will calculate.
D(C0) xor IV'
= (IV xor P0) xor (IV xor P0 xor P0')
= P0'
So attacker is able to set the first block of the cipher to a P0' one of their choice. I don't think this is enough for RCE but you should be able to DoS the server by flooding the atom table. You can see this attack here: http://imgur.com/a/m2uhJ#0
from n2o.
@benmmurphy see #64 - does that seem correct now?
from n2o.
you should use crypto:hmac instead of crypto:hash
from n2o.
Hmm that makes sense. @5HT can you do that?
from n2o.
I did change to hmac. I want to thank you @benmmurphy for your effort to make n2o better.
As for atom table flooding I made [safe] binary_to_term depickling.
Now it looks like:
Signature = crypto:hmac(sha256,Key,<<Cipher/binary,IV/binary,Key/binary>>),
{D,_T} = binary_to_term(crypto:block_decrypt(aes_cbc128,Key,IV,Cipher),[safe]),
Also would be good to check the calling module is in application modules (app.src) in n2o_bullet.
Thanks for contributing.
from n2o.
I'm closing if everything is ok now?
from n2o.
looks good. you shouldn't need to add Key at the end of the hmac signature but i don't think it effects the security of the construct.
Signature = crypto:hmac(sha256,Key,<<Cipher/binary,IV/binary,Key/binary>>),
Signature = crypto:hmac(sha256,Key,<<Cipher/binary,IV/binary>>),
from n2o.
Thanks again :)
from n2o.
Related Issues (20)
- Fire event on keypress/keydown HOT 4
- Apps couldn't be loaded: [kvs,mnesia] HOT 2
- question - Machine specs for the wrk benchmark? HOT 1
- n20 book link is broken on readme
- no function clause matching lists:flatten HOT 1
- no function clause matching lists:flatten HOT 5
- Change ws.send to wsn.send in all JS and NITRO renderers HOT 1
- bert.js int_to_bytes("true") causes node/v8 to crash
- bert.js decode error on the server: badarg HOT 1
- call to an undefined module ? HOT 1
- Автор наркоман HOT 1
- xhr.js has been deleted HOT 2
- Fails on basic setup HOT 1
- N2O to support latest Cowboy 2.x HOT 6
- Update n2o_mqtt to support EMQ X 3.x
- Adjust n2o_ring:send for IoT project
- Support TCP Connections
- n2o crash at startup: HOT 5
- from or form in record #cx ? HOT 4
- There is no samples folder inside n2o HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from n2o.