phpwn: Attack on PHP sessions and random numbers

Studying PHP’s (5.3.1 and below) LCG (linear congruential generator, a pseudorandom number generator), I discovered that there are weaknesses that reduce the complexity of determining the sequence of pseudorandom numbers. What this means is that PHP is severely deficient in producing random session IDs or random numbers, leading to the possibility of stealing sessions or other sensitive information.

The initial seed can be reduced from 64-bits to 35-bits, and with PHP code execution, can be reduced further down to just under 20-bits, which takes only seconds to recreate the initial seed. You can test with sources available below.

Other tools to work out the LCG in forward and reverse, as well as determine session IDs, found below.

Source

This entry was posted on Friday, January 8th, 2010 at 9:48 amand is filed under Open-Source, Programming, Research, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

uncompiled.com

phpwn: Attack on PHP sessions and random numbers

Leave a Reply

Categories

Archives

New Files

Comics

Conferences

Exploits

Friends

Music

Organizations

Podcasts

Programming

Technology