Advisory 02/2010: MyBB Password Reset Weak Random Numbers Vulnerability

                     SektionEins GmbH
                    www.sektioneins.de

                 -= Security  Advisory =-

 Advisory: MyBB Password Reset Weak Random Numbers Vulnerability

Release Date: 2010/04/13
Last Modified: 2010/04/13
Author: Stefan Esser [stefan.esser[at]sektioneins.de]

Application: MyBB <= 1.4.11
Severity: Usage of weak random number generation in password reset
functionality allows predicting the password reset token
and the randomly generated password, which results in
account takeover.
Risk: Critical
Vendor Status: MyBB 1.4.12 was released which partly fixes this
vulnerability
Reference:
http://www.sektioneins.com/en/advisories/advisory-022010-mybb-password-reset-weak-random-numbers-vulnerability/

http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

Overview:

Quote from http://www.mybboard.net
"MyBB is a discussion board that has been around for a while; it has
evolved from other bulletin boards into the forum package it is
today. Therefore, it is a professional and efficient discussion
board, developed by an active team of developers. The MyBB history
has been recorded and is available for the interested to read.
You can also read more about the MyBB team and why they develop
MyBB in their spare time. We also like to highlight the most
active and contributing fansites of the MyBB community."

During evaluation of various password reset implementations it was
discovered that MyBB uses weak random numbers when generating the
password reset token and randomly generated passwords.

A malicious user can takeover arbitrary accounts if PHP processes
are reused by the webserver. The most common PHP installation:
mod_php with activated keep-alive request is therefore vulnerable.

Details:

In various places MyBB seeds the random number generator with the
mt_srand() function.

// Setup a unique posthash for attachment management
if(!$mybb->input['posthash'] && $mybb->input['action'] != "editdraft")
{
   mt_srand((double) microtime() * 1000000);
   $posthash = md5($mybb->user['uid'].mt_rand());
}

Code like this will seed the random number generator with only
one million different seed values. In addition to that the first
generated random number will be leaked to the user in form of the
post hash. Because the user knows his 'uid' it is easy to find the
seed used by just bruteforcing the one million possibilities.
A normal desktop PC is able to perform this attack in less than a
second.

Because the state of the random number generator is shared by
requests handled by the same PHP process a password reset triggered
afterwards will therefore use a state known by the attacker.

The password reset will first create a random password reset token
that is sent to the user. If this token is used the second step of
the password reset will generate a new random password. Both random
strings are generated by the following function.

 function random_str($length="8")
 {
    $set =array("a","A","b","B","c","C","d","D","e","E","f","F",
                "g","G","h","H","i","I","j","J","k","K","l","L",
                "m","M","n","N","o","O","p","P","q","Q","r","R",
                "s","S","t","T","u","U","v","V","w","W","x","X",
            "y","Y","z","Z","1","2","3","4","5","6","7","8","9");
    $str = '';

    for($i = 1; $i <= $length; ++$i)
    {
       $ch = mt_rand(0, count($set)-1);
       $str .= $set[$ch];
    }

    return $str;
 }

The problem with this code is that is uses mt_rand() to generate
the random strings and the state of the mt_rand() number generator
is known to the remote attacker. He is therefore able to predict
both the genersted password reset token and also the new password.
This allows taking over arbitrary accounts.

This vulnerability was fixed by the vendor by reseeding the random
number generator on every request with a securely generated seed.
This renders the discovered attack infeasible but might be vulnerable
to future attacks. We therefore recommended an additional safeguard
that might make it into the next release version.

Furthermore it should be noted that users of the Suhosin Extension
version 0.9.26 or newer are safe from this class of attacks because
random numbers generated by rand() and mt_rand() are more secure by
default.

Proof of Concept:

SektionEins GmbH is not going to release a proof of concept
exploit for this vulnerability.

Disclosure Timeline:

31. March 2010 - Notified the MyBB devs via security contact form
32. April 2010 - MyBB developers released MyBB 1.4.12
33. April 2010 - Public Disclosure

Recommendation:

It is recommended to upgrade to the latest version of MyBB.
However we hope that our late recommendations for more secure
random number generation will make it into the next release.

Grab your copy at:
http://mybboard.net/downloads

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
not assigned a name to this vulnerability.

Month of PHP Security:

If you have a non-public vulnerability like this don't hesitate to
submit it to the Month of PHP Security. Further information at

http://php-security.org

GPG-Key:

pub 1024D/15ABDA78 2004-10-17 Stefan Esser
Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78

Copyright 2010 SektionEins GmbH. All rights reserved.