ghsa-x7g2-wrrp-r6h3
Vulnerability from github
Published
2021-09-01 18:41
Modified
2024-02-05 15:50
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Summary
Use of a Broken or Risky Cryptographic Algorithm
Details

✍️ Description

The function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control

🕵️‍♂️ Proof of Concept

Numerous examples and attack implementations can be found in this paper . If you're looking for a practical tool that can crack your mt_rand implementation's seed value, see this project and run the following commands in a console with php5 and OpenWall's tool installed:

root$ php -r 'mt_srand(13333337); echo mt_rand( ), "\n";' After that, copy the output (1863134308) and execute the following commands:

root$ gcc php_mt_seed.c -o php_mt_seedroot$ ./php_mt_seed 1863134308 After waiting ~1 minute you should have a few possible seeds corresponding to their PHP versions, next to your installed PHP version you should see something akin to:

seed = 0x00cb7359 = 13333337 (PHP 7.1.0+) Hey, that's your seed!

💥 Impact

An attacker could takeover accounts at random by enumerating and using access tokens.

📝 References

  • https://openwall.com/php_mt_seedhttps://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf
  • https://github.com/mautic/mautic/blob/5213e320b4ef4d0c51bb84c1d46a1071e8e4f7fc/app/bundles/PointBundle/Controller/TriggerController.php#L187
  • https://github.com/mautic/mautic/releases/tag/3.3.4
  • https://github.com/mautic/mautic/releases/tag/4.0.0
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "mautic/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-alpha1"
            },
            {
              "fixed": "4.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-27913"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-30T18:02:40Z",
    "nvd_published_at": "2021-08-30T16:15:00Z",
    "severity": "LOW"
  },
  "details": "## \u270d\ufe0f Description\nThe function mt_rand is used to generate session tokens, this function is cryptographically flawed due to its nature being one pseudorandomness, an attacker can take advantage of the cryptographically insecure nature of this function to enumerate session tokens for accounts that are not under his/her control\n\n## \ud83d\udd75\ufe0f\u200d\u2642\ufe0f Proof of Concept\nNumerous examples and attack implementations can be found in this paper . If you\u0027re looking for a practical tool that can crack your mt_rand implementation\u0027s seed value, see this project and run the following commands in a console with php5 and OpenWall\u0027s tool installed:\n\n`root$ php -r \u0027mt_srand(13333337); echo mt_rand( ), \"\\n\";\u0027`\nAfter that, copy the output (1863134308) and execute the following commands:\n\n`root$ gcc php_mt_seed.c -o php_mt_seedroot$ ./php_mt_seed 1863134308`\nAfter waiting ~1 minute you should have a few possible seeds corresponding to their PHP versions, next to your installed PHP version you should see something akin to:\n\nseed = 0x00cb7359 = 13333337 (PHP 7.1.0+)\nHey, that\u0027s your seed!\n\n## \ud83d\udca5 Impact\nAn attacker could takeover accounts at random by enumerating and using access tokens.\n\n## \ud83d\udcdd References\n\n- https://openwall.com/php_mt_seedhttps://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf\n- https://github.com/mautic/mautic/blob/5213e320b4ef4d0c51bb84c1d46a1071e8e4f7fc/app/bundles/PointBundle/Controller/TriggerController.php#L187\n- https://github.com/mautic/mautic/releases/tag/3.3.4\n- https://github.com/mautic/mautic/releases/tag/4.0.0",
  "id": "GHSA-x7g2-wrrp-r6h3",
  "modified": "2024-02-05T15:50:17Z",
  "published": "2021-09-01T18:41:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/security/advisories/GHSA-x7g2-wrrp-r6h3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27913"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mautic/mautic/commit/d1cad766a2de74e6c6b89d6d78c2a5f2e36ba91c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/mautic/core/CVE-2021-27913.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mautic/mautic"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Use of a Broken or Risky Cryptographic Algorithm"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.