Savane v.3.12 Bad Seed Vulnerability and CSRF Bypass

2024.04.08

Credit: Ally Petitt

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2024-27632

CWE: CWE-335

# CVE-2024-27632 Vulnerability Details

## Overview

In Savane v3.12 and prior, the Unix timestamp is used as a seed in the Pseudo-Random Number Generator (PRNG) used to generate Cross-Site Request Forgery (CSRF) protection tokens (`form_id`). As a result, an attacker may be able to independently generate the same valid CSRF token that was assigned to a victim user, thereby passing CSRF checks and leading to a successful CSRF attack. The impact of a CSRF attack includes privilege escalation and account takeover.


**CWE Classification:** CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

**Reported By:** Ally Petitt 

**Affected Product**: Savane

**Affected Versions**: 3.12 and prior

## Technical Details

Before the `form_id` is generated, `utils_srand()` is called. Then, the generated `form_id` is created as an MD5 hash of a value generated by PHP's PRNG.

_frontend/php/include/form.php:61_
```
  if (!$form_id)
    {
      utils_srand ();
      $form_id = md5 (mt_rand (0, 1000000));
    }
```

As shown in the code block below, `utils_srand()` is defined as a function that seeds the `microtime()`, a function that returns the Unix timestamp, multiplied by 1,000,000.

_frontend/php/include/utils.php:969_
```
function utils_srand ()
{
  mt_srand ((int)((double)microtime () * 1000000));
}
```

As a result, the Unix timestamp, a predictable value, is used to generate a security-critical psuedo-random number. The time that a user's token was created can potentially be guessed or triggered by an attacker in order to obtain a valid timestamp that they can use to craft a valid CSRF token.

## Validation Steps
These steps aim to demonstrate that knowing the timestamp is enough to generate a valid token independently. Real-world attack strategies may involve additional creativity in order to ensure that the correct timestamp of the token creation is being deduced.

1. Visit a Savane webpage that generates a `form_id`.
2. Note the Unix timestamp that you visited that page.
3. Replace `$RECORDED_UNIX_TIME` with the time that was recorded and un the following PHP script. Observe that the value generated matches the `form_id` that the server returned upon initially visiting the webpage.

```
<?php
mt_srand ((int)((double)$RECORDED_UNIX_TIME* 1000000));
echo md5 (mt_rand (0, 1000000));
?>
```


## Mitigation

Upgrade to Savane version 3.13 or higher. The patch can be found [here](https://git.savannah.nongnu.org/cgit/administration/savane.git/commit/?h=i18n&id=dee5195d18f9ab16c860e8114819083673f66b95).

References:

https://git.savannah.nongnu.org/cgit/administration/savane.git/commit/?h=i18n&id=dee5195d18f9ab16c860e8114819083673f66b95

https://medium.com/@allypetitt/how-i-found-3-cves-in-2-days-8a135eb924d3

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Savane v.3.12 Bad Seed Vulnerability and CSRF Bypass

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.