Abusing weak PRNGs in PHP applications

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Abusing weak PRNGs in PHP applications

Post by VladSun »

gat3way has uploaded an interesting PoC video - a mt_rand()/rand() seed value discovery.
http://www.youtube.com/watch?v=NMhO00bnRzM

According to his articles (in Bulgarian), he is able to bruteforce the seed value used by mt_srand() in just an hour. He uses a rainbow table (11MB) that took 17 hours to be generated.

He also explains the weaknesses of using low entropy sources for seeding mt_srand() - like the time() function.

Finally, he explains that CAPTCHA images can be bypassed by *predicting* the values they are generated from. He shows the weaknesses of the "unique URLs" used for resetting passwords in some PHP applications.

Enjoy watching the video ;) ... and fix your code :twisted:
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Abusing weak PRNGs in PHP applications

Post by kaisellgren »

That's exactly what I described on my (now dead) blog PHP Talk.

I've mentioned the problem(s) on http://improved-security.com/wiki/Rando ... _%28PHP%29
Improved Security wrote:When using mod_php and HTTP Keep-Alive connection, the same PHP process is being used for each HTTP request. PHP will automatically seed the random number generators per each process start. So, since we use HTTP Keep-Alive, the random number generators are not being seeded by PHP. This means that if one can upload a PHP file on a shared server (on his account) similar to the following:

Code: Select all

mt_srand(0);
Then he will be able to seed the random function for his process, and predict the next random number in another application on the same server.
And of course you don't need to upload anything if there's an application that seeds based on any user supplied data.
VladSun wrote:Finally, he explains that CAPTCHA images can be bypassed by *predicting* the values they are generated from.
Yeah, CAPTCHAs are just one thing that rely heavily on randomness. After all, Randomization is a control that has to be strong in order for someone to be even able to build a secure system.

Anyway, the video is nicely done. This just shows yet another reason (=things are getting more practical and popular) why one can't use built-in random functions in PHP for cryptographic purposes.

I've been writing a library and it can generate good random data with a simple call:

Code: Select all

$randomBytes = Security_Randomizer::getRandomBytes(32); // Generate 32-bytes of random data
The library is not vulnerable to the attack demonstrated in the video.
Post Reply