Savane v.3.12 Bad Seed Vulnerability and CSRF Bypass

2024.04.08
Credit: Ally Petitt
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2024-27632
CWE: CWE-335

# CVE-2024-27632 Vulnerability Details ## Overview In Savane v3.12 and prior, the Unix timestamp is used as a seed in the Pseudo-Random Number Generator (PRNG) used to generate Cross-Site Request Forgery (CSRF) protection tokens (`form_id`). As a result, an attacker may be able to independently generate the same valid CSRF token that was assigned to a victim user, thereby passing CSRF checks and leading to a successful CSRF attack. The impact of a CSRF attack includes privilege escalation and account takeover. **CWE Classification:** CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) **Reported By:** Ally Petitt **Affected Product**: Savane **Affected Versions**: 3.12 and prior ## Technical Details Before the `form_id` is generated, `utils_srand()` is called. Then, the generated `form_id` is created as an MD5 hash of a value generated by PHP's PRNG. _frontend/php/include/form.php:61_ ``` if (!$form_id) { utils_srand (); $form_id = md5 (mt_rand (0, 1000000)); } ``` As shown in the code block below, `utils_srand()` is defined as a function that seeds the `microtime()`, a function that returns the Unix timestamp, multiplied by 1,000,000. _frontend/php/include/utils.php:969_ ``` function utils_srand () { mt_srand ((int)((double)microtime () * 1000000)); } ``` As a result, the Unix timestamp, a predictable value, is used to generate a security-critical psuedo-random number. The time that a user's token was created can potentially be guessed or triggered by an attacker in order to obtain a valid timestamp that they can use to craft a valid CSRF token. ## Validation Steps These steps aim to demonstrate that knowing the timestamp is enough to generate a valid token independently. Real-world attack strategies may involve additional creativity in order to ensure that the correct timestamp of the token creation is being deduced. 1. Visit a Savane webpage that generates a `form_id`. 2. Note the Unix timestamp that you visited that page. 3. Replace `$RECORDED_UNIX_TIME` with the time that was recorded and un the following PHP script. Observe that the value generated matches the `form_id` that the server returned upon initially visiting the webpage. ``` <?php mt_srand ((int)((double)$RECORDED_UNIX_TIME* 1000000)); echo md5 (mt_rand (0, 1000000)); ?> ``` ## Mitigation Upgrade to Savane version 3.13 or higher. The patch can be found [here](https://git.savannah.nongnu.org/cgit/administration/savane.git/commit/?h=i18n&id=dee5195d18f9ab16c860e8114819083673f66b95).

References:

https://git.savannah.nongnu.org/cgit/administration/savane.git/commit/?h=i18n&id=dee5195d18f9ab16c860e8114819083673f66b95
https://medium.com/@allypetitt/how-i-found-3-cves-in-2-days-8a135eb924d3


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top