Reutov, yunusov, nagibin random numbers take ii

1. Arseniy Reutov Timur Yunusov Dmitriy Nagibin

2. Timeline of PHP problems with random numbers 2008: “mt_srand and not so random numbers” by Stefan Esser Early 2010: “Abusing weak PRNGs in PHP applications” by gat3way July 2010: “How I Met Your Girlfriend” by Samy Kamkar July 2012: “I Forgot Your Password: Randomness Attacks Against PHP” by George Argyros and Aggelos Kiayias August 2012: “Random Numbers. Take Two”

3. PHP Developers: meh, so what? Documentation still lacks security warnings except for uniqid() PHP developers refuse to use external crypto providers in GENERATE_SEED Seeds in LCG and Mersenne Twister are interdependent (if you know one seed you will know the other)

4. PHP Developers: meh, so what? Make seeding more secure? Nope, fix the documentation instead.* * didn’t do even this.

5. What we are going to hack today OpenCart 1.5.3.1 DataLife Engine 9.5 UMI.CMS 2.8.5.3 OpenCart 1.5.4.1

6. Basics (1) Apache: mpm-prefork (separate processes) or mpm-worker (threads within a process) PHP: non-thread safe (used with mpm- prefork) or thread safe (used with mpm- worker) Apache+PHP: mod_php (same process on keep-alive requests) or CGI/FastCGI (different processes on keep-alive requests)

7. Basics (2) In a fresh process PHP automatically seeds its PRNGs Same seed for rand and mt_rand (max value 2^32) Two different seeds for LCG (max value 2^32 each)

8. OpenCart 1.5.3.1

9. OpenCart 1.5.3.1 $code = md5(mt_rand()); //admin/controller/common/forgotten. php $this->session->data['token'] = md5(mt_rand()); //admin/controller/common/login.php

10. OpenCart 1.5.3.1 Fresh Process Spawning on mpm-prefork Apache Initiate a number of keep-alive requests that is > MaxSpareServers (10 by default) Fill the pool Make target request on freshly seeded process

11. OpenCart 1.5.3.1 php exploits/opencart/1.5.3.1.php php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_seed.exe” or ./tools/php_mt_seed/php_mt_seed <num> on obtained random number php exploits/opencart/genlinks.php seeds.txt

12. OpenCart 1.5.3.1

17. OpenCart 1.5.3.1 GREAT SCOTT! IT WORKED!

18. DataLife 9.6

19. DataLife 9.6 engine/modules/lostpassword.php: $salt = "abchefghjkmnpqrstuvwxyz0123456789"; srand( ( double ) microtime() * 1000000 ); for($i = 0; $i < 15; $i ++) { $rand_lost .= $salt{rand( 0, 33 )}; } $lostid = sha1( md5( $lostname . $lostmail ) . time () . $rand_lost ) engine/modules/pm.php: $salt = "abchefghjkmnpqrstuvwxyz"; $random_key = ""; for($i = 0; $i < 8; $i ++) { $random_key .= $salt{rand( 0, 23 )}; }

20. DataLife 9.6 Log on as test:123456 at http://datalife Copy PHPSESSID (View Page Info -> Details -> View Cookies) Delete cookies, go to http://datalife/?do=lostpassword Copy PHPSESSID and symbols on captcha php exploits/dle/dle.php <PHPSESSID 1> <PHPSESSID captcha> <captcha>

22. DataLife 9.6

26. DataLife 9.6

27. DataLife 9.6 GREAT SCOTT! IT WORKED!

28. UMI.CMS 2.8.5.3

29. Time Synchronization (ATS) Date: T1 T2 T2-T1=1 Time: msec=0 msec=0 (!) msec=0 msec=m1 m2 msec=0 msec=m1 m2 msec(server) ~ [0;(m2-m1)/2]

30. UMI.CMS 2.8.5.3 (PHP<5.4) ext/session/session.c: gettimeofday(&tv, NULL); ... spprintf(&buf, 0, "%.15s%ld%ld%0.8F", remote_addr ? remote_addr : "", tv.tv_sec, (long int)tv.tv_usec, php_combined_lcg(TSRMLS_C) * 10); ... return PHP_MD5Update(&md5_context, (unsigned char *) buf, strlen(buf));

31. UMI.CMS 2.8.5.3 PHPSESSID: md5(127.0.0.11351346648192088.00206033) IP (known) timestamp (known) microtime0 (need to bruteforce) LCG (need to find two seeds)

32. UMI.CMS 2.8.5.3 ext/standard/lcg_seed.h: static void lcg_seed(TSRMLS_D) { struct timeval tv; if (gettimeofday(&tv, NULL) == 0) { LCG(s1) = tv.tv_sec ^ (tv.tv_usec<<11); } else { LCG(s1) = 1; } #ifdef ZTS LCG(s2) = (long) tsrm_thread_id(); #else LCG(s2) = (long) getpid(); #endif if (gettimeofday(&tv, NULL) == 0) { LCG(s2) ^= (tv.tv_usec<<11); } LCG(seeded) = 1; }

33. UMI.CMS 2.8.5.3 LCG seeds: S1 = timestamp ^ microtime1 << 11 S2 = pid ^ microtime2 << 11 timestamp (known) microtime1 (need to bruteforce: microtime1 – microtime0 = 1…4) pid (need to bruteforce: 1024-32768) microtime2 (need to bruteforce: microtime2 - microtime1 = 0…3)

34. UMI.CMS 2.8.5.3 ext/standard/php_rand.h: #ifdef PHP_WIN32 #define GENERATE_SEED() (((long) (time(0) * GetCurrentProcessId())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C)))) #else #define GENERATE_SEED() (((long) (time(0) * getpid())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C)))) #endif

35. UMI.CMS 2.8.5.3 function getRandomPassword ($length = 12) { $avLetters = "$#@^&!1234567890qwertyuiopasd fghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM"; $size = strlen($avLetters); $npass = ""; for($i = 0; $i < $length; $i++) { $c = rand(0, $size - 1); $npass .= $avLetters[$c]; } return $npass; }

36. UMI.CMS 2.8.5.3 Edit exploits/umi/umi.php, add your login php exploits/umi/umi.php [offset=0] [delay1=10000- 100000] [delay2=10000] Run phpsessid_cuda with PHPSESSID, timestamp and your ip php exploits/umi/pass_gen.php <sec> <pid> <s1> <s2>

38. UMI.CMS 2.8.5.3

40. PHPSESSID Bruteforcer 1,170 billion seeds/sec on a single Amazon EC2 GPU Instance Supports multiple GPUs Covers the whole search space within 7,5 minutes Supports distributed computing based on sockets So fast that we don’t need microtime synchronization with remote server any more

41. PHPSESSID Bruteforcer

43. UMI.CMS 2.8.5.3

44. UMI.CMS 2.8.5.3 GREAT SCOTT! IT WORKED!

45. PHDAYS.RU OWNED!!!

47. OpenCart 1.5.4.1 $code = md5(mt_rand()); $code = sha1(uniqid(mt_rand(), true)); //admin/controller/common/forgotten.php $this->session->data['token'] = md5(mt_rand()); //admin/controller/common/login.php

48. OpenCart 1.5.4.1 Sources of entropy: mt_rand() : 92496817 uniqid() : 1351070918 + 616520 (in hex) lcg_value() : 7.41222311 sha1(924968175087b4c6968487.41222311)

49. OpenCart 1.5.4.1 ext/standard/php_rand.h: #ifdef PHP_WIN32 #define GENERATE_SEED() (((long) (time(0) * GetCurrentProcessId())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C)))) #else #define GENERATE_SEED() (((long) (time(0) * getpid())) ^ ((long) (1000000.0 * php_combined_lcg(TSRMLS_C)))) #endif

50. OpenCart 1.5.4.1 Send 3 requests in keep-alive (get token, user reset, admin reset) Find MT seeds (some collisions are present) Bruteforce LCG seeds (also collisions) given MT seeds Bruteforce our sha1 -> find out proper MT seed, LCG seed; also microseconds to start from Calculate admin mt_rand(), admin LCG Bruteforce microseconds given starting point from our sha1 (Request Twins approach)

51. OpenCart 1.5.4.1 php exploits/opencart/1.5.4.1.php, get hash in local mail php exploits/opencart/md5crack.php <md5> or ./tools/hashcat/hashcat <md5> on obtained token At Amazon run “mt_rand.exe” to get seeds At Amazon run “lcg_sha1.exe” with seeds file, timestamp and sha1 hash Get back to exploit, specify mt_rand, admin LCG and microsecs to start from

56. LCG via mt_rand Seed Bruteforcer Allows to find LCG seeds (some collision are present) given mt_rand seed GPU-based 16 billion seeds/sec on a single Amazon EC2 GPU Instance Covers the whole search space within 1 minute

58. OpenCart 1.5.4.1 1 0.94821643 2 9.31809351  mt_srand 3 1.78501767 4 5.16258654 5 7.25796790  User LCG 6 1.86345598 7 3.57376950 8 4.59748062  Admin LCG 9 1.85684612 10 2.74482567

62. OpenCart 1.5.4.1 Wait a moment…

63. OpenCart 1.5.4.1 (4) GREAT SCOTT! IT WORKED!

64. Thanks! Arseniy Reutov Timur Yunusov Dmitriy Nagibin

Reutov, yunusov, nagibin random numbers take ii

More Related Content

Similar to Reutov, yunusov, nagibin random numbers take ii (20)

More from DefconRussia (20)

Reutov, yunusov, nagibin random numbers take ii