[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Hash Table Collisions (n.runs-SA-2011.004)
- From: fredrik danerklint <fredan-lua@...>
- Date: Thu, 29 Dec 2011 18:37:37 +0100
Hi!
I've would like to know if Lua is vulnerably to this hash collision that
was presented at CCC yesterday.
Slashdot articel
http://developers.slashdot.org/story/11/12/29/1352219/microsoft-issuing-unusual-out-of-band-security-update
The presentation on youtube:
http://www.youtube.com/watch?v=R2Cq3CLI6H8
And the information about this:
http://packetstormsecurity.org/files/108209/n.runs-SA-2011.004.txt
Overview:
Hash tables are a commonly used data structure in most programming
languages. Web application servers or platforms commonly parse
attacker-controlled POST form data into hash tables automatically, so
that they can be accessed by application developers.
If the language does not provide a randomized hash function or the
application server does not recognize attacks using multi-collisions, an
attacker can degenerate the hash table by sending lots of colliding
keys. The algorithmic complexity of inserting n elements into the table
then goes to O(n**2), making it possible to exhaust hours of CPU time
using a single HTTP request.
They did mention that Lua could be vulnerably to this kind of an attack
at the end of the presentation, so I would like to know if it is or not.
--
//fredan
