SektionEins GmbH www.sektioneins.de -= Security Advisory =- Advisory: MyBB Password Reset Weak Random Numbers Vulnerability Release Date: 2010/04/13 Last Modified: 2010/04/13 Author: Stefan Esser [stefan.esser[at]sektioneins.de] Application: MyBB <= 1.4.11 Severity: Usage of weak random number generation in password reset functionality allows predicting the password reset token and the randomly generated password, which results in account takeover. Risk: Critical Vendor Status: MyBB 1.4.12 was released which partly fixes this vulnerability Reference: http://www.sektioneins.com/en/advisories/advisory-022010-mybb-password-reset-weak-random-numbers-vulnerability/ http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/ Overview: Quote from http://www.mybboard.net "MyBB is a discussion board that has been around for a while; it has evolved from other bulletin boards into the forum package it is today. Therefore, it is a professional and efficient discussion board, developed by an active team of developers. The MyBB history has been recorded and is available for the interested to read. You can also read more about the MyBB team and why they develop MyBB in their spare time. We also like to highlight the most active and contributing fansites of the MyBB community." During evaluation of various password reset implementations it was discovered that MyBB uses weak random numbers when generating the password reset token and randomly generated passwords. A malicious user can takeover arbitrary accounts if PHP processes are reused by the webserver. The most common PHP installation: mod_php with activated keep-alive request is therefore vulnerable. Details: In various places MyBB seeds the random number generator with the mt_srand() function. // Setup a unique posthash for attachment management if(!$mybb->input['posthash'] && $mybb->input['action'] != "editdraft") { mt_srand((double) microtime() * 1000000); $posthash = md5($mybb->user['uid'].mt_rand()); } Code like this will seed the random number generator with only one million different seed values. In addition to that the first generated random number will be leaked to the user in form of the post hash. Because the user knows his 'uid' it is easy to find the seed used by just bruteforcing the one million possibilities. A normal desktop PC is able to perform this attack in less than a second. Because the state of the random number generator is shared by requests handled by the same PHP process a password reset triggered afterwards will therefore use a state known by the attacker. The password reset will first create a random password reset token that is sent to the user. If this token is used the second step of the password reset will generate a new random password. Both random strings are generated by the following function. function random_str($length="8") { $set =array("a","A","b","B","c","C","d","D","e","E","f","F", "g","G","h","H","i","I","j","J","k","K","l","L", "m","M","n","N","o","O","p","P","q","Q","r","R", "s","S","t","T","u","U","v","V","w","W","x","X", "y","Y","z","Z","1","2","3","4","5","6","7","8","9"); $str = ''; for($i = 1; $i <= $length; ++$i) { $ch = mt_rand(0, count($set)-1); $str .= $set[$ch]; } return $str; } The problem with this code is that is uses mt_rand() to generate the random strings and the state of the mt_rand() number generator is known to the remote attacker. He is therefore able to predict both the genersted password reset token and also the new password. This allows taking over arbitrary accounts. This vulnerability was fixed by the vendor by reseeding the random number generator on every request with a securely generated seed. This renders the discovered attack infeasible but might be vulnerable to future attacks. We therefore recommended an additional safeguard that might make it into the next release version. Furthermore it should be noted that users of the Suhosin Extension version 0.9.26 or newer are safe from this class of attacks because random numbers generated by rand() and mt_rand() are more secure by default. Proof of Concept: SektionEins GmbH is not going to release a proof of concept exploit for this vulnerability. Disclosure Timeline: 31. March 2010 - Notified the MyBB devs via security contact form 13. April 2010 - MyBB developers released MyBB 1.4.12 13. April 2010 - Public Disclosure Recommendation: It is recommended to upgrade to the latest version of MyBB. However we hope that our late recommendations for more secure random number generation will make it into the next release. Grab your copy at: http://mybboard.net/downloads CVE Information: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability. Month of PHP Security: If you have a non-public vulnerability like this don't hesitate to submit it to the Month of PHP Security. Further information at http://php-security.org GPG-Key: pub 1024D/15ABDA78 2004-10-17 Stefan Esser Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 Copyright 2010 SektionEins GmbH. All rights reserved. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/