Use of a Broken or Risky Cryptographic Algorithm in serghey-rodin/vesta
Jul 24th 2021
uniqid does not generate cryptographically secure strings, even if it did, supplying it with
mt_rand would render it insecure as an attacker would be able to gain access to a victim's account by simply knowing when they logged in, this could be used as a mass-account-takeover vector given how an attacker could automate checking tokens and generate them after deducing the server's randomization seed.
🕵️♂️ Proof of Concept
Numerous examples and attack implementations can be found in this paper .
If you're looking for a practical tool that can crack your
mt_rand implementation's seed value, see this project and run the following commands in a console with
php5 and OpenWall's tool installed:
root$ php -r 'mt_srand(13333337); echo mt_rand( ), "\n";'
After that, copy the output (
1863134308) and execute the following commands:
root$ gcc php_mt_seed.c -o php_mt_seed root$ ./php_mt_seed 1863134308
After waiting ~1 minute you should have a few possible seeds corresponding to their PHP versions, next to your installed PHP version you should see something akin to:
seed = 0x00cb7359 = 13333337 (PHP 7.1.0+)
This vulnerability is capable of allowing an unauthenticated attacker to generate session tokens of users at random and at mass by deducing the backend server's randomization seed or by taking advantage of the fact that
uniqid isn't cryptographically secure.