A webshell and a normal file that have the same MD5 (opens in new tab)

(github.com)

98 pointsshlomo_z6mo ago47 comments

47 comments

Proof of Concept or GTFO issue 0x14 is a PDF document file that can also be run as a NES ROM. The file will display its own MD5 hash in a PDF viewer, and also displays its own MD5 hash in a NES emulator (only first 40KB+16 bytes are actually loaded there)

https://github.com/angea/pocorgtfo#0x14

And yes, documents are not normally supposed to be able to display their own MD5 hash.

Retr0id6mo ago

I made https://github.com/DavidBuchanan314/monomorph, which packs up to 4KB of shellcode into an executable that always has the same hash. So you're not just limited to a good/evil pair, you can arbitrarily change the behaviour in future without changing the hash.

Also, a more recent innovation in MD5 collisions is textcoll, which creates colliding blocks that are completely plaintext. This would allow for colliding PHP source files like in OP but without any obvious binary artefacts (although this requires identical prefixes).

https://github.com/cr-marcstevens/hashclash?tab=readme-ov-fi...

magicalhippo6mo ago

Not only is MD5 broken as shown here, if you have a modern CPU it's also quite slow compared to good, non-broken alternatives. See for example this comparison[1] (post says JavaScript but it's actually OpenSSL's implementation that's actually tested).

[1]: https://lemire.me/blog/2025/01/11/javascript-hashing-speed-c...

gruez6mo ago

I only see new CPUs benchmarked, maybe that's because newer CPUs have SHA acceleration extensions? I'd expect SHA256 to be more complex and therefore be more computationally expensive.

sltkr6mo ago

Yes, SHA256 is faster than MD5 only if you have hardware accelleration. But SHA256 itself is pretty slow compared to the state of the art. For example, BLAKE3 is just as secure as SHA256 but an order of magnitude faster.

Try this on your own system:

    $ head -c 1000000000 /dev/urandom > random-1gb
    
    $ time md5sum random-1gb 
    ef72a3616aad5117ddf40a7d5f5d0162  random-1gb
    
    real 0m2.428s
    user 0m2.192s
    sys 0m0.202s
    
    $ time sha256sum random-1gb 
    ec7d7f31c4489acae8328fddbe54157f1cb9e97b220ef502a07e1f9230969310  random-1gb
    
    real 0m3.894s
    user 0m3.697s
    sys 0m0.181s
    
    $ time b3sum random-1gb 
    11fe11cc5721faf65369d18893d7b7631f6178b4692bc0bb03b1b180273cd384  random-1gb
    
    real 0m0.282s !!!
    user 0m0.876s
    sys 0m0.124s
    
    $ time b3sum --num-threads=1 random-1gb 
    11fe11cc5721faf65369d18893d7b7631f6178b4692bc0bb03b1b180273cd384  random-1gb
    
    real 0m0.597s
    user 0m0.488s
    sys 0m0.107s

This is on an old Chromebook with Intel(R) Core(TM) m3-6Y30 CPU @ 0.90GHz CPU (dual core, but with hyperthreading). Note that even using only a single thread (which SHA256 and MD5 are limited to by their design), BLAKE3 is 6x as fast as SHA256 and 4x as fast as MD5.

2 more replies

adrian_b6mo ago

Hardware SHA-1 and SHA-256 are now supported by many CPUs, many of which are already older than a decade, i.e. almost all 64-bit ARM-based CPUs, all AMD Zen, many generations of Intel Atom and the Intel Core CPUs starting with Ice Lake.

The only CPUs still likely to be in use and without SHA support are the Intel Core CPUs until and including the Skylake derivatives (i.e. up to Comet Lake, i.e. up to 6 years ago).

The Intel Atoms have received SHA support many years before Intel Core, because they competed with ARM, which already had such support.

The support in Intel Core has been added due to AMD Zen, but the products with it have been delayed by the failure of Intel to achieve acceptable fabrication yields in their 10-nm CMOS process, before 2019/2020.

andreareina6mo ago

The normal file doesn't look that normal

o11c6mo ago

Keep in mind that the stated use is cache-poisoning of automated scanners, not fooling humans.

slow_typist6mo ago

Humans have to put the so called php-file on the server intentionally for any subsequent attack to work. But it is a binary file.

1 more reply

Incipient6mo ago

The idea here is you can trigger a server to run the "safe" php file, then send it the webshell version, which passes hash based scanning?

chipsrafferty6mo ago

Yes, but you'd need a situation where:

1. You can upload scripts that get scanned for malicious code 2. These scripts can be executed once deemed "safe" 3. The server is using MD5 hashes to determine if you uploaded the same file or if it should re-scan it

3. Is where the issue is. It should probably always re-scan it and it definitely should not be using MD5.

falcor846mo ago

>The server is using MD5 hashes to determine if you uploaded the same file or if it should re-scan it

Wouldn't the sensible thing for a server that gets an upload matching an existing file's hash be to just treat it as an idempotent no-op? What reason would it have to replace the old version with a presumably identical copy? What am I missing?

1 more reply

szszrk6mo ago

Is there any fairly popular software that still uses md5 in this context?

Most I've seen (sec scans, backup validation/dedup etc) pushed to phase out md5 very long time ago.

1 more reply

IshKebab6mo ago

There's no need to rescan. You just need to use a secure hash.

1 more reply

sim7c006mo ago

the safe file is not a valid php file? it might be executed if php is like javascript ignorning valid chars, but i doubt something actually 'looking at it' would accept it as benign or valid.

dsab6mo ago

It's a pity that there is no description of what it is supposed to be used for.

lisper6mo ago

If you don't know, then you aren't the target audience.

But there are two applications: the first is breaking in to a system under some very obscure set of circumstances that you are very unlikely to encounter in the real world. The second is to bump up your karma on HN.

bawolff6mo ago

> If you don't know, then you aren't the target audience.

If you do know, then you also know md5 being broken is really really old news.

Seriously. Cryptographers have been warning that md5 seems weak since 1996. There are probably people reading this thread who weren't even alive yet. (It got totally broken in 2004 but the warning signs were way earlier).

1 more reply

alkonaut6mo ago

> system under some very obscure set of circumstances that you are very unlikely to encounter in the real world.

Is there any way to use HN karma? Like, can I sell my account on some shady exchange like people sell big twitter accounts? And if I can, what's the going rate for internet points these days? Asking for an unscrupulous friend.

1 more reply

integralid6mo ago

After, sometimes, the initial scanning, the security and AV industry deals with file hashes, not actual files. This means that if you wrote a legitimate, harmful program, and a malicious version with the same hash, you would be able to troll the security rolls in many cases. Basically, those two files would look the same to the security program.

The thing that makes this blog post not realistic is:

* Such tricks would make much more sense with normal programs, where you're trying to trick an user to download and execute it. Webshells are downloaded by the attacker knowingly.

* Md5 is not used anymore (although I know security vendors who used it for embarrassingly long time). If this was SHA256, that attack would be devastating for many more severe reasons.

But it's still a fun PoC.

chipsrafferty6mo ago

Because there's unlikely to be a use case

h4ck_th3_pl4n3t6mo ago

The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

0points6mo ago

> The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

That's only true if you ignore all the details.

As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.

So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.

Source: https://developer.wordpress.org/reference/functions/wp_hash_...

4 more replies

IshKebab6mo ago

It says at the end of the README:

> Can use it bypass some cached webshell detections.

sim7c006mo ago

honestly, normal.php is not a valid php file. i do understand that it might bypass some checks if say normal.php was somehow flagged as a valid / benign file but in all honesty that would be really bad sec product u wanna swap with something that more intelligently classifies files... additionally, most products these days also use sha1, sha2 and sometimes things like ssdeep to have multiple hash variants to check. this ensures that any collisions will be mitigated as it's not known yet to make 1 file match on all of these different types of hashes, despite collisions being possible in a number of them for sure.

if normal.php had actual php code in there, being really 'normal' as the name implies, this would be much more severe / interesting because it might be more easy to convince modern security products it's actually a benign file.

Currently if it would be analysed, it would be flagged as suspicious simply because its not a valid file. and really, it dont need to be php, it could be any valid file format as long as it's an actually file that has benign behavior or contents.

plaintext might be easier to generate, but you'd need it to be 'executable' format or something interpretable like a script to have it actually stored in databases marking files as malicious or benign. matching filetype with the malicious file, in a valid form that does actual benign behavior would be 'best'.

don't take me wrong tho. still fun to see these things and honestly props, if it bypasses anything that's always a 'nice result' :)

Blahagun6mo ago

normal.php is a perfectly valid php file. Sure, it doesn't contain php code but that doesn't make it invalid php file. If it did have <?php somewhere and if the following wasn't a syntactically valid PHP code, then you could say it's not a valid php file.

sim7c006mo ago

yeah ok fair point. from the interpreter perspective. but that is not the tool which checks security. in that context validity is determined by another tool, which will look beyond merely being interpretable by the php interpreter.

its funny often web basted languages have this property tho , i mean, how else you gonna poison logs and execute them :')... js and php are just adorable for providing opportunities :D

j / k navigate · click thread line to collapse

47 comments

Dwedit6mo ago

https://github.com/angea/pocorgtfo#0x14

And yes, documents are not normally supposed to be able to display their own MD5 hash.

Retr0id6mo ago

https://github.com/cr-marcstevens/hashclash?tab=readme-ov-fi...

magicalhippo6mo ago

[1]: https://lemire.me/blog/2025/01/11/javascript-hashing-speed-c...

gruez6mo ago

I only see new CPUs benchmarked, maybe that's because newer CPUs have SHA acceleration extensions? I'd expect SHA256 to be more complex and therefore be more computationally expensive.

sltkr6mo ago

Try this on your own system:

    $ head -c 1000000000 /dev/urandom > random-1gb
    
    $ time md5sum random-1gb 
    ef72a3616aad5117ddf40a7d5f5d0162  random-1gb
    
    real 0m2.428s
    user 0m2.192s
    sys 0m0.202s
    
    $ time sha256sum random-1gb 
    ec7d7f31c4489acae8328fddbe54157f1cb9e97b220ef502a07e1f9230969310  random-1gb
    
    real 0m3.894s
    user 0m3.697s
    sys 0m0.181s
    
    $ time b3sum random-1gb 
    11fe11cc5721faf65369d18893d7b7631f6178b4692bc0bb03b1b180273cd384  random-1gb
    
    real 0m0.282s !!!
    user 0m0.876s
    sys 0m0.124s
    
    $ time b3sum --num-threads=1 random-1gb 
    11fe11cc5721faf65369d18893d7b7631f6178b4692bc0bb03b1b180273cd384  random-1gb
    
    real 0m0.597s
    user 0m0.488s
    sys 0m0.107s

2 more replies

adrian_b6mo ago

The only CPUs still likely to be in use and without SHA support are the Intel Core CPUs until and including the Skylake derivatives (i.e. up to Comet Lake, i.e. up to 6 years ago).

The Intel Atoms have received SHA support many years before Intel Core, because they competed with ARM, which already had such support.

andreareina6mo ago

The normal file doesn't look that normal

o11c6mo ago

Keep in mind that the stated use is cache-poisoning of automated scanners, not fooling humans.

slow_typist6mo ago

Humans have to put the so called php-file on the server intentionally for any subsequent attack to work. But it is a binary file.

1 more reply

Incipient6mo ago

The idea here is you can trigger a server to run the "safe" php file, then send it the webshell version, which passes hash based scanning?

chipsrafferty6mo ago

Yes, but you'd need a situation where:

3. Is where the issue is. It should probably always re-scan it and it definitely should not be using MD5.

falcor846mo ago

>The server is using MD5 hashes to determine if you uploaded the same file or if it should re-scan it

1 more reply

szszrk6mo ago

Is there any fairly popular software that still uses md5 in this context?

Most I've seen (sec scans, backup validation/dedup etc) pushed to phase out md5 very long time ago.

1 more reply

IshKebab6mo ago

There's no need to rescan. You just need to use a secure hash.

1 more reply

sim7c006mo ago

the safe file is not a valid php file? it might be executed if php is like javascript ignorning valid chars, but i doubt something actually 'looking at it' would accept it as benign or valid.

dsab6mo ago

It's a pity that there is no description of what it is supposed to be used for.

lisper6mo ago

If you don't know, then you aren't the target audience.

bawolff6mo ago

> If you don't know, then you aren't the target audience.

If you do know, then you also know md5 being broken is really really old news.

1 more reply

alkonaut6mo ago

> system under some very obscure set of circumstances that you are very unlikely to encounter in the real world.

1 more reply

integralid6mo ago

The thing that makes this blog post not realistic is:

* Such tricks would make much more sense with normal programs, where you're trying to trick an user to download and execute it. Webshells are downloaded by the attacker knowingly.

* Md5 is not used anymore (although I know security vendors who used it for embarrassingly long time). If this was SHA256, that attack would be devastating for many more severe reasons.

But it's still a fun PoC.

chipsrafferty6mo ago

Because there's unlikely to be a use case

h4ck_th3_pl4n3t6mo ago

The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

0points6mo ago

> The answer is likely wordpress, because its default wp_hash algorithm is still MD5.

That's only true if you ignore all the details.

As usual, you cannot make a coherent understanding on just about any subject by reading headlines alone. Life would have taught you by now that the devil is in the details.

WP uses salt and multiple rounds of hashing, fully mitigating the md5 collisions being topic of discussion here.

So no, wp doesn't "use md5" in the sense that they would be vulnerable to this type of attack.

Source: https://developer.wordpress.org/reference/functions/wp_hash_...

4 more replies

IshKebab6mo ago

It says at the end of the README:

> Can use it bypass some cached webshell detections.

sim7c006mo ago

don't take me wrong tho. still fun to see these things and honestly props, if it bypasses anything that's always a 'nice result' :)

Blahagun6mo ago

sim7c006mo ago

its funny often web basted languages have this property tho , i mean, how else you gonna poison logs and execute them :')... js and php are just adorable for providing opportunities :D

j / k navigate · click thread line to collapse