Use of a Broken or Risky Cryptographic Algorithm in panique/huge

Valid

Reported on

Jul 10th 2021


✍️ Description

The function mt_rand is used to generate password-reset tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate password-reset tokens that should not be available to them.

🕵️‍♂️ Proof of Concept

Numerous examples and attack implementations can be found in this paper . If you're looking for a practical tool that can crack your mt_rand implementation's seed value, see this project and run the following commands in a console with php5 and OpenWall's tool installed:

root$ php -r 'mt_srand(13333337); echo mt_rand( ), "\n";'

After that, copy the output (1863134308) and execute the following commands:

root$ gcc php_mt_seed.c -o php_mt_seed
root$ ./php_mt_seed 1863134308

After waiting ~1 minute you should have a few possible seeds corresponding to their PHP versions, next to your installed PHP version you should see something similar to:

seed = 0x00cb7359 = 13333337 (PHP 7.1.0+)

Hey, that's your seed!

💥 Impact

An attacker could takeover accounts by enumerating password-reset tokens and then using them to change the password of targeted accounts.

Chris
a year ago

Maintainer


Maintainer here. Thank, excellent find! I'm a bit out of the PHP world (the project is 7+ years old), but according to official PHP docs there's a secure successor of mt_rand, called random_int. I'll implement this within the next days.

https://www.php.net/manual/de/function.mt-rand.php

Chris
a year ago

Maintainer


Out of interest: Who funds the money (and how) for these disclosures / fixes? I love the idea and want to support this (financially).

Chris validated this vulnerability a year ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
Michael Rowley
a year ago

Researcher


Hey, thanks for validating the vulnerability - about the funding for huntr.dev, from what I've gathered this project is a London-based startup which is owned by 418sec and I believe that they are funded by venture capitalists.

When I asked about huntr.dev's plan for monetisation, I was told that: "We do plan on selling a service for commercial open source projects, to support their security research needs" & "You can imagine us like HackerOne, but specifically for open source :)"

I'm not sure if that answers your question but it's as far as I've gotten with figuring things out!

Michael Rowley
a year ago

Researcher


Oh, I have also reported a similar vulnerability to this one in another repository a couple of days ago, if you need any examples for 'patches' for this issue, feel free to check out this merge:

https://github.com/emoncms/emoncms/commit/31523b99899eaa19412393ab4ac5ce8d55339643

(from https://huntr.dev/bounties/1625877117672-emoncms/emoncms/)

Jamie Slome
a year ago

Admin


@Chris - Jamie from the huntr.dev team here! Thanks for the warm feedback!

Feel free to join our Discord and would love to talk further with you!

Michael Rowley submitted a
a year ago
Michael Rowley
a year ago

Researcher


I've submitted a patch that (hopefull) will resolve the issues raised within this report, let me know if this breaks or degrades anything else though!

Chris
a year ago

Maintainer


Thanks Michael! I dont want to "steal" your work, but I could find a way to merge this properly in to the repo without losing your contribution details (as there is not a real pull request). Can you please commit this to the original repo? Or is it okay if I just copy your changes?

Thanks again, I adore that work

Michael Rowley
a year ago

Researcher


I've looked over my patch and it looks like it could use a bin2hex wrapper around the random_bytes call, I've added that to my branch along with a minor correction to the comment code and have opened a pull request from my branch to the main one in your repository - I'd advise you to check everything over and make sure that it functions correctly before merging but I can't see anything overtly wrong with the commit.

Chris
a year ago

Maintainer


Thank you so much! Now I can see the pull request, and it's merged now. https://github.com/panique/huge/commit/fe8654394d97078f254b48e655f5f62da16697d4

Chris marked this as fixed with commit 9cb3f5 a year ago
Michael Rowley has been awarded the fix bounty
This vulnerability will not receive a CVE
Michael Rowley
a year ago

Researcher


Awesome, I'm glad to see this fixed!

to join this conversation