Use of a Broken or Risky Cryptographic Algorithm in hdinnovations/unit3d-community-edition

Valid

Reported on

Jul 30th 2021


✍️ Description

The referenced code block uses PHP's native md5( ) and uniqid( ) functions to generate the attributes named passkey and rsskey - both of which are to be considered cryptographically insecure due to their usage of uniqid which is not to be considered cryptographically secure.

🕵️‍♂️ Proof of Concept

  • Execute the below code:
<?php
$a = \uniqid('', true).\time().\microtime();
echo $a . "=" . md5($a);
echo "\n\n";
$a = uniqid('', true).time().microtime();
echo $a . "=" . md5($a);
echo "\n\n";
$a = uniqid('', true).time().microtime();
echo $a . "=" . md5($a);
echo "\n\n";
$a = uniqid('', true).time().microtime();
echo $a . "=" . md5($a);
echo "\n\n";
$a = uniqid('', true).time().microtime();
echo $a . "=" . md5($a);
echo "\n\n";
?>
  • Look at the output, mine is below:
6103de029c6d82.9481546416276433940.64073700 1627643394=44281a740d18c52897cf1cdd994458ee
6103de029c6f42.8333084116276433940.64075700 1627643394=06577e3dcf06c7863b4968224f271463
6103de029c6f64.4995626516276433940.64075900 1627643394=c8003b29a59816287bc254adc5251af4
6103de029c6f81.2037400916276433940.64076100 1627643394=700742badb907ddac5948a8528634abf
6103de029c6fa8.3945899016276433940.64076300 1627643394=2d89d69d1708809a06041a2e79533a31

There is clearly not enough input randomization to provide secure cryptographic hash generation.

💥 Impact

This vulnerability is capable of allowing attackers to computationally feasibly bruteforce passkeys - it also allows them to make bruteforcing the rsskey computationally easier but not feasable due to the use of a secure hashing primitive being used in the above lines to hash the user's password member.

We have contacted a member of the hdinnovations/unit3d-community-edition team and are waiting to hear back 4 months ago
hdinnovations/unit3d-community-edition maintainer validated this vulnerability 4 months ago
Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
Michael Rowley submitted a
4 months ago
Michael Rowley
4 months ago

Researcher


I've opened a pull request (1853) so that once you've accepted the patch you can pull it into the main branch if everything checks out!

Michael Rowley
4 months ago

Researcher


Now that my request has been merged could you accept this as the patch?

Ziding Zhang
4 months ago

Admin


Hey Michael, it seems like the team have merged your patch. Ideally, they'd come on-platform to confirm it for you. I've emailed them about this, and you may gently ping them too. Great job all-round!

Michael Rowley
4 months ago

Researcher


Sounds good, I'd assume they get a notification whenever someone comments on a report pertaining to their repository similarly to how I get one whenever someone comments on one of my reports right?

hdinnovations/unit3d-community-edition maintainer confirmed that a fix has been merged on b345d6 4 months ago
Michael Rowley has been awarded the fix bounty