DOS exploit

[Tostino]

Hey, just wanted to let you know I've gotten reports from users of my library: Nbvcxz that are getting a DOS every so often by specifically crafted passwords.

I even found a tool created by a government contractor used for issuing a DOS against programs using libraries containing the vulnerable (to combination explosion) algorithms from the original zxcvbn implementation:

• https://github.com/twosixlabs/acsploit
• acsploit GoSimpleLLC/nbvcxz#60

I've solved this by implementing a maxLength type configuration...but that isn't totally done yet as I feel like I still need to have it do dictionary checks against the full-length password without any transformations. Working on finishing that feature and putting out a release. I just wanted to mention it to you, since this is also often run server-side rather than client-side.

[formigarafa]

Confirmed! With polynomial growth of time O(n^c) in relation to the size of the password as you mention on your tests.

[14] pry(main)> $ Zxcvbn

From: /home/me/.asdf/installs/ruby/2.5.9/lib/ruby/gems/2.5.0/gems/zxcvbn-ruby-1.2.0/lib/zxcvbn.rb:5
Module name: Zxcvbn
Number of lines: 16

module Zxcvbn
  extend self

  DATA_PATH = Pathname(File.expand_path('../../data', __FILE__))

  # Returns a Zxcvbn::Score for the given password
  #
  # Example:
  #
  #   Zxcvbn.test("password").score #=> 0
  def test(password, user_inputs = [], word_lists = {})
    tester = Tester.new
    tester.add_word_lists(word_lists)
    tester.test(password, user_inputs)
  end
end
[15] pry(main)> Benchmark.realtime { Zxcvbn.test "4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/" }
=> 2.2909809999982826
[16] pry(main)> Benchmark.realtime { Zxcvbn.test "4@8({[</369&#!1/|0$5+7%2/4@8({[</369&#!1/|0$5+7%2/" * 2 }
=> 9.578882999994676

Thank you for letting people know, @Tostino 😊

If you don't mind I would really appreciate it if you could drop a copy of this note on formigarafa/zxcvbn issues.

Update:
Improved process time, now linear O(n) instead of polynomial O(n^c) on formigarafa/zxcvbn released new version 0.1.9 of zxcvbn gem

[Tostino]

No problem, will make a similar report over there. I've been trying to hit all the major forks with relevant issues today.