Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) in alovoa/alovoa

Valid

Reported on

Jun 25th 2021


✍️ Description

Random.setSeed should not be called with a constant integer argument. If a Random object is seeded with a specific value, the values returned by Random.nextInt() and similar methods which return or assign values are predictable.

🕵️‍♂️ Proof of Concept

Vulnerable code of: OxCaptcha.java:482

    public void noiseStrokes(int strokes, float width) {
        RAND.setSeed(49);
        _img_g.setStroke(new BasicStroke(width));
        _img_g.setColor(_fg_color);
        for (int i = 0; i < strokes; i++) {
            Path2D.Double path = new Path2D.Double();
            path.moveTo(RAND.nextInt(_width), RAND.nextInt(_height));
            path.curveTo(RAND.nextInt(_width), RAND.nextInt(_height), RAND.nextInt(_width), RAND.nextInt(_height),
                    RAND.nextInt(_width), RAND.nextInt(_height));
            _img_g.draw(path);
        }
    }

poc.php

#!/usr/bin/env php
<?php

if($argc < 3)
{
    print($argv[0] . ' <seed> <n>' . "\n");
    print('' . "\n");
    print('Parameters:' . "\n");
    print('  seed:   Seed to initialize mt_rand() with' . "\n");
    print('  offset: Number of calls to mt_rand() before printing the first');
    print(' output' . "\n");
    print('' . "\n");
    print('Output:' . "\n");
    print('  <offset>\'s call to mt_rand() and <offset+227>\'s call');
    print(' to mt_rand()' . "\n");
    exit();
}

mt_srand($argv[1]);
for($i=0;$i<$argv[2];$i++)
    mt_rand();

print mt_rand() . " ";
for($i=0;$i<226;$i++)
    mt_rand();
print mt_rand() . "\n";

💥 Impact

This vulnerability is capable of...

Ziding Zhang
3 months ago

Admin


Hey Akshay, since I was not able to find a security policy or other method of contact, I've created an issue on the repo asking a way to responsibly disclose this vulnerability. Waiting to hear back; good job!

Akshay Jain
3 months ago

Researcher


Thankyou :)

We have contacted a member of the alovoa team and are waiting to hear back 3 months ago
We have contacted a member of the alovoa team and are waiting to hear back 3 months ago
Akshay Jain
2 months ago

Researcher


Hi Team, Any updates?

Nho Quy Dinh validated this vulnerability 2 months ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nho Quy Dinh confirmed that a fix has been merged on 744f8e 2 months ago
Nho Quy Dinh has been awarded the fix bounty
Ziding Zhang
2 months ago

Admin


There's your update haha! Congrats on the bounty 🎉

Akshay Jain
2 months ago

Researcher


Thank you @zhang 😆