Use of a Broken or Risky Cryptographic Algorithm in emoncms/emoncms


Reported on

Jul 10th 2021

✍️ Description

The function mt_rand is used to generate verification keys, API keys (both read & write), and even hash salts, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to disclose critical information for accounts that are not under his/her control

🕵️‍♂️ Proof of Concept

Numerous examples and attack implementations can be found in this paper . If you're looking for a practical tool that can crack your mt_rand implementation's seed value, see this project and run the following commands in a console with php5 and OpenWall's tool installed:

root$ php -r 'mt_srand(13333337); echo mt_rand( ), "\n";'

After that, copy the output (1863134308) and execute the following commands:

root$ gcc php_mt_seed.c -o php_mt_seed
root$ ./php_mt_seed 1863134308

After waiting ~1 minute you should have a few possible seeds corresponding to their PHP versions, next to your installed PHP version you should see something akin to:

seed = 0x00cb7359 = 13333337 (PHP 7.1.0+)

Hey, that's your seed!

💥 Impact

The impact of this appears significant (at least it does to me), some examples of what could be done include:

  • An attacker could use other peoples' api keys by generating them.
  • An attacker could render your salting process useless by enumerating your salts.
We have contacted a member of the emoncms team and are waiting to hear back 2 years ago
emoncms/emoncms maintainer validated this vulnerability 2 years ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
emoncms/emoncms maintainer marked this as fixed with commit 31523b 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
emoncms/emoncms maintainer
2 years ago

Thanks Michael!

Michael Rowley
2 years ago


No problem, thanks for getting this fixed!

to join this conversation