Use of a Broken or Risky Cryptographic Algorithm in x360ce/x360ce

Valid

Reported on

Jan 26th 2022

Description

The password-generation algorithm used in the function NewPassword() simply adds bias to the output password instead of making it easier to remember.

Proof of Concept

  • Use the NewPassword() function a large amount of times and store the output.
  • Look at the frequency of each character on a distribution graph.

Impact

This vulnerability is capable of cutting down the amount of brute-force attempts an attacker needs to try as the likelihood of each character being one of a given user's password is higher for some than others.

We are processing your report and will contact the x360ce team within 24 hours. a year ago
We have contacted a member of the x360ce team and are waiting to hear back a year ago
x360ce/x360ce maintainer
a year ago

Thank you for reporting this issue. I will check for more secure random function and increase password length.

Michael Rowley submitted a
patch
a year ago
Michael Rowley
a year ago

Researcher

No problem, I've submitted a patch for this issue - if it looks good and the character-set looks appropriate could you approve the report on here and merge the patch to the main branch? The password length has been changed to 12-32 characters and a standard CSPRNG has been implemented!

Michael Rowley
a year ago

Researcher

See https://github.com/x360ce/x360ce/pull/1341

x360ce/x360ce maintainer validated this vulnerability a year ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
x360ce/x360ce maintainer marked this as fixed in 4.17 with commit 7a5b0f a year ago
Michael Rowley has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation