Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) in alovoa/alovoa
Valid
Reported on
Jun 25th 2021
βοΈ Description
Random.setSeed should not be called with a constant integer argument. If a Random object is seeded with a specific value, the values returned by Random.nextInt() and similar methods which return or assign values are predictable.
π΅οΈββοΈ Proof of Concept
Vulnerable code of: OxCaptcha.java:482
public void noiseStrokes(int strokes, float width) {
RAND.setSeed(49);
_img_g.setStroke(new BasicStroke(width));
_img_g.setColor(_fg_color);
for (int i = 0; i < strokes; i++) {
Path2D.Double path = new Path2D.Double();
path.moveTo(RAND.nextInt(_width), RAND.nextInt(_height));
path.curveTo(RAND.nextInt(_width), RAND.nextInt(_height), RAND.nextInt(_width), RAND.nextInt(_height),
RAND.nextInt(_width), RAND.nextInt(_height));
_img_g.draw(path);
}
}
poc.php
#!/usr/bin/env php
<?php
if($argc < 3)
{
print($argv[0] . ' <seed> <n>' . "\n");
print('' . "\n");
print('Parameters:' . "\n");
print(' seed: Seed to initialize mt_rand() with' . "\n");
print(' offset: Number of calls to mt_rand() before printing the first');
print(' output' . "\n");
print('' . "\n");
print('Output:' . "\n");
print(' <offset>\'s call to mt_rand() and <offset+227>\'s call');
print(' to mt_rand()' . "\n");
exit();
}
mt_srand($argv[1]);
for($i=0;$i<$argv[2];$i++)
mt_rand();
print mt_rand() . " ";
for($i=0;$i<226;$i++)
mt_rand();
print mt_rand() . "\n";
π₯ Impact
This vulnerability is capable of...
Occurrences
Hey Akshay, since I was not able to find a security policy or other method of contact, I've created an issue on the repo asking a way to responsibly disclose this vulnerability. Waiting to hear back; good job!
We have contacted a member of the
alovoa
team and are waiting to hear back
2 years ago
to join this conversation