LEAKFREE-2014-010 / OSVDB-115643

HumHub UserPassword.php setRandomPassword() Remote Password Reset

[+] OSVDB-ID: OSVDB-115643
[+] LF-ID: LEAKFREE-2014-010
[+] CVSS: 7.0
[+] Vendor: HumHub
[+] Product: HumHub
[+] Versions affected: 0.10.0-rc1 and earlier

Vulnerability

The setRandomPassword() function located in '/protected/modules_core/user/models/UserPassword.php' suffers from several design flaws.


public function setRandomPassword() 
{
    $length = 7;
    $chars = "abcdefghijkmnopqrstuvwxyz023456789$";
    srand((double) microtime() * 1000000);
    $newPassword = '';
    for ($i = 1; $i <= $length; $i++) {
        $newPassword .= substr($chars, rand() % strlen($chars) - 1, 1);
    }
    $this->setPassword($newPassword);
    return $newPassword;
}
                        

1. Unauthorized password reset

Password reset functionality is unauthorized allowing anyone to reset the password of any humhub user, provided they know their e-mail address.

2. Limited recovery password characterset

Generated passwords are limited to a lowercase alphanumeric plus $-sign charset and passwords have a static length of 7, both of which are below recommended password practices.

3. Insufficient PRNG seed entropy

PRNG seed entropy (and thus the possible reset password keyspace) is limited to at most 9^6 since the 8-digit precision microseconds in microtime() are limited to 9 characters and multiplication of the result by 1000000 results in a 6-digit number.

4. Adverserial Time Synchronization (ATS) attack

Passwords are generated using a non-cryptographically secure PRNG (php's rand()) seeded in an insecure manner, making it vulnerable to a so-called Adversarial Time Synchronization (ATS) attack [2]. Since reset passwords are generated using PHP's rand() PRNG, seeded by the microtime() function, an attacker can send reset request pairs until the Date field in the server's HTTP response between both requests differs by 1, indicating a second has passed between the first and the second request. This means the clock microseconds have been zeroed between both requests and the value returned by microtime() (from which the reset password is derived) is below an upper limit determined by the average RTT of the reset request, thus greatly reducing the reset password keyspace and making quick bruteforce attacks feasible. Using the Snowflake framework by Argyros et al. [3], a more accurate attack could potentially be developed.

Mitigation

Upgrade to the latest HumHub release [4]

References

1. http://humhub.org

2. http://crypto.di.uoa.gr/CRYPTO.SEC/Randomness_Attacks_files/paper.pdf

3. https://github.com/GeorgeArgyros/Snowflake

4. https://github.com/humhub/humhub/releases

Contact

Voor meer informatie of een vrijblijvende offerte kunt u contact met ons opnemen via contact@leakfree.nl (PGP)