Use of Predictable Algorithm in Random Number Generator in w7corp/easywechat

Valid

Reported on

Jun 29th 2021


✍️ Description

Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. This code uses the rand() function to generate "unique" identifiers for the receipt pages it generates. In this case the function that generates weak random numbers is rand() in /src/OpenWork/Corp/Client.phpat line 47

🕵️‍♂️ Proof of Concept

//POC.php

#!/usr/bin/env php
<?php

if($argc < 3)
{
    print($argv[0] . ' <seed> <n>' . "\n");
    print('' . "\n");
    print('Parameters:' . "\n");
    print('  seed:   Seed to initialize rand() with' . "\n");
    print('  offset: Number of calls to rand() before printing the first');
    print(' output' . "\n");
    print('' . "\n");
    print('Output:' . "\n");
    print('  <offset>\'s call to rand() and <offset+227>\'s call');
    print(' to rand()' . "\n");
    exit();
}

rand($argv[1]);
for($i=0;$i<$argv[2];$i++)
    rand();

print rand() . " ";
for($i=0;$i<226;$i++)
    rand();
print rand() . "\n";

💥 Impact

The random number generator implemented by rand() cannot withstand a cryptographic attack. Because rand() is a statistical PRNG, it is easy for an attacker to guess the strings it generates.

Occurrences

References

We have contacted a member of the w7corp/easywechat team and are waiting to hear back a year ago
Akshay Jain submitted a
a year ago
Akshay Jain
a year ago

Researcher


https://github.com/w7corp/easywechat/pull/2134

安正超 validated this vulnerability a year ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
安正超 marked this as fixed with commit e9ecad a year ago
Akshay Jain has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation