Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Exploiting weak PRNGs (rand()/mt_rand())
Posted by: gat3way
Date: January 24, 2010 07:12AM

Please have a look at that video I made:

hxxp://www.youtube.com/watch?v=NMhO00bnRzM

It's about abusing PHP's weak builtin PRNG functions like rand() and mt_rand(). Steffan Esser wrote about that back in 2008. I used his idea (keep-alive requests to conduct cross-application attacks) to develop a working PoC against PHP-Nuke and PunBB hosted on a same server (PunBB admin password successfully reset with only 4-5 HTTP requests). However, it turned out that bruteforcing the seed takes a long time (more than 16 hours on my AMD Phenom 2.6ghz). Actually, mt_srand();mt_rand() is about 5 times slower than md5().

Since it's about a password reset attack and the victim will likely notice the "reset password" mail before we've bruteforced the seed, I decided to use rainbow tables for faster seed cracking. Rainbow table of chain length=10000 and 512k rows takes about 11MB and average search time takes ~35 minutes. Rainbow table parameters can be tuned for a faster search (thus a larger table).

Many web applications are still vulnerable to those attacks and besides resetting passwords, it can be used to guess captchas, do bulk user registrations, etc.

PoC, rainbow table and table generation/search code (sloppily written in PHP) can be found at hxxp://www.gat3way.eu/poc/mtrt.

I hope at least some of you would enjoy that boring stuff.

Options: ReplyQuote
Re: Exploiting weak PRNGs (rand()/mt_rand())
Posted by: rvdh
Date: January 24, 2010 09:37PM

Excellent work man. I hope more people now realize the dangers of rand() and mt_rand() in PHP scripting, especially when they are broadcasted into an URI. Good to see practical examples coming forth.

Options: ReplyQuote


Sorry, only registered users may post in this forum.