Skip to content

ally-petitt/CVE-2024-27632

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 

Repository files navigation

CVE-2024-27632 Vulnerability Details

Overview

In Savane v3.12 and prior, the Unix timestamp is used as a seed in the Pseudo-Random Number Generator (PRNG) used to generate Cross-Site Request Forgery (CSRF) protection tokens (form_id). As a result, an attacker may be able to independently generate the same valid CSRF token that was assigned to a victim user, thereby passing CSRF checks and leading to a successful CSRF attack. The impact of a CSRF attack includes privilege escalation and account takeover.

CWE Classification: CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

Reported By: Ally Petitt

Affected Product: Savane

Affected Versions: 3.12 and prior

Technical Details

Before the form_id is generated, utils_srand() is called. Then, the generated form_id is created as an MD5 hash of a value generated by PHP's PRNG.

frontend/php/include/form.php:61

  if (!$form_id)
    {
      utils_srand ();
      $form_id = md5 (mt_rand (0, 1000000));
    }

As shown in the code block below, utils_srand() is defined as a function that seeds the microtime(), a function that returns the Unix timestamp, multiplied by 1,000,000.

frontend/php/include/utils.php:969

function utils_srand ()
{
  mt_srand ((int)((double)microtime () * 1000000));
}

As a result, the Unix timestamp, a predictable value, is used to generate a security-critical psuedo-random number. The time that a user's token was created can potentially be guessed or triggered by an attacker in order to obtain a valid timestamp that they can use to craft a valid CSRF token.

Validation Steps

These steps aim to demonstrate that knowing the timestamp is enough to generate a valid token independently. Real-world attack strategies may involve additional creativity in order to ensure that the correct timestamp of the token creation is being deduced.

  1. Visit a Savane webpage that generates a form_id.
  2. Note the Unix timestamp that you visited that page.
  3. Replace $RECORDED_UNIX_TIME with the time that was recorded and un the following PHP script. Observe that the value generated matches the form_id that the server returned upon initially visiting the webpage.
<?php
mt_srand ((int)((double)$RECORDED_UNIX_TIME* 1000000));
echo md5 (mt_rand (0, 1000000));
?>

Mitigation

Upgrade to Savane version 3.13 or higher. The patch can be found here.

About

CVE-2024–27632 Reference

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published