fix: switch to SHA1 and add a try/catch block on acl inheritance hash…

…ing (#172) * fix: switch to MD5 and add a try/catch block on acl inheritance hashing * chore: add missing inheritancehash value for owns * chore: switch to bitconverter for perf
BloodHoundAD · Oct 17, 2024 · 2343b28 · 2343b28
1 parent 37ba516
commit 2343b28
Showing 1 changed file with 22 additions and 12 deletions.
diff --git a/src/CommonLib/Processors/ACLProcessor.cs b/src/CommonLib/Processors/ACLProcessor.cs
@@ -135,17 +135,21 @@ internal static string CalculateInheritanceHash(string identityReference, Active
             string aceType, string inheritedObjectType) {
             var hash = identityReference + rights + aceType + inheritedObjectType;
             /*
-             * We're using MD5 because its fast and this data isn't cryptographically important.
+             * We're using SHA1 because its fast and this data isn't cryptographically important.
              * Additionally, the chances of a collision in our data size is miniscule and irrelevant.
+             * We cannot use MD5 as it is not FIPS compliant and environments can enforce this setting
              */
-            using (var md5 = MD5.Create()) {
-                var bytes = md5.ComputeHash(Encoding.UTF8.GetBytes(hash));
-                var builder = new StringBuilder();
-                foreach (var b in bytes) {
-                    builder.Append(b.ToString("x2"));
+            try
+            {
+                using (var sha1 = SHA1.Create())
+                {
+                    var bytes = sha1.ComputeHash(Encoding.UTF8.GetBytes(hash));
+                    return BitConverter.ToString(bytes).Replace("-", string.Empty).ToUpper();
                 }
-
-                return builder.ToString();
+            }
+            catch
+            {
+                return "";
             }
         }
 
@@ -209,8 +213,12 @@ public IEnumerable<string> GetInheritedAceHashes(byte[] ntSecurityDescriptor, st
                 //Lowercase this just in case. As far as I know it should always come back that way anyways, but better safe than sorry
                 var aceType = ace.ObjectType().ToString().ToLower();
                 var inheritanceType = ace.InheritedObjectType();
-
-                yield return CalculateInheritanceHash(ir, aceRights, aceType, inheritanceType);
+
+                var hash = CalculateInheritanceHash(ir, aceRights, aceType, inheritanceType);
+                if (!string.IsNullOrEmpty(hash))
+                {
+                    yield return hash;
+                }
             }
         }
 
@@ -256,15 +264,17 @@ public async IAsyncEnumerable<ACE> ProcessACL(byte[] ntSecurityDescriptor, strin
                         PrincipalType = resolvedOwner.ObjectType,
                         PrincipalSID = resolvedOwner.ObjectIdentifier,
                         RightName = EdgeNames.Owns,
-                        IsInherited = false
+                        IsInherited = false,
+                        InheritanceHash = ""
                     };
                 } else {
                     _log.LogTrace("Failed to resolve owner for {Name}", objectName);
                     yield return new ACE {
                         PrincipalType = Label.Base,
                         PrincipalSID = ownerSid,
                         RightName = EdgeNames.Owns,
-                        IsInherited = false
+                        IsInherited = false,
+                        InheritanceHash = ""
                     };
                 }
             }