PHP blunders with random numbers
Security expert Andreas Bogk warns that, despite recent PHP improvements, the session IDs of users who are logged into PHP applications remain guessable. Upon close examination, the alleged improvements display frightening weaknesses.
PHP assigns a session ID in order to allow individual page calls to be allocated to a specific logged-in user. To prevent attackers from using a forged session ID to take control of a session, the ID is chosen supposedly at random. When computers require random numbers, invariably a pseudo random number generator such as the Linear Congruential Generator (LCG) will be used. Such number generators use complex mathematical operations to generate a stream of numbers which are random at least in so far as it is impossible to predict future numbers based on the numbers already generated. However, a person who knows the initial state – the initialisation or seed value – of the generator can execute the same operations and calculate all the pseudo random numbers generated. Therefore, it is essential that truly unpredictable numbers are used as a seed for initialising these generators.
Hacker Samy Kamkar, however, managed to demonstrate that in the case of PHP this wasn't done and used a small program to predict session IDs with sufficient accuracy to at least make trying out the remaining possibilities feasible. This prompted the PHP team to "improve" the LCG's initialisation so that, since versions PHP 5.3.2 and 5.2.13, this specific attack has not been successful. However, a closer look at the changes reveals clear weaknesses. For instance, a developer added the following comment to one of the changes
/* Add entropy to s2 by calling gettimeofday() again */
This means that the developer uses a second system time call as an additional 'random' source shortly after the first call. We could compare this with someone who, having concluded that the number X is too easy to guess, proceeds to combine this number with X + 23. "This doesn't give much extra entropy" as Bogk puts it. At least the developers only used the lower bits of the time value rather than use the whole value which contains more predictable information such as day and hours.
Andreas Bogk analyses further weaknesses in his advisory. The expert says that this approach reduces the unknown entropy to "the process ID and a few microseconds", which allows him to conclude that the session IDs remain guessable. Towards the end of his advisory, Bogk recommends that the PHP developers brush up their cryptography knowledge. Incidentally, PHP installations which use the Suhosin extension are not affected.
- Second maintenance release for PHP 5.3, a report from The H.