Missing Cryptographic Step in w7corp/easywechat

Valid

Reported on

Jun 29th 2021

✍️ Description

The method encryptsensitiveinformation() in BaseClient.php uses the RSA algorithm without OAEP padding, thereby making the encryption weak.

In order to use RSA securely, the OAEP padding mode (Optimal Asymmetric Encryption Padding) must be used.

This category was derived from the Cigital Java Rulepack. http://www.cigital.com/

🕵️‍♂️ Proof of Concept

//The following code uses RSA encryption algorithm without appropriate padding
    protected function encryptSensitiveInformation(string $string)
    {
        $certificates = $this->app['config']->get('certificate');
        if (null === $certificates) {
            throw new InvalidArgumentException('config certificate connot be empty.');
        }

        $encrypted = '';
        $publicKeyResource = openssl_get_publickey($certificates);
        $f = openssl_public_encrypt($string, $encrypted, $publicKeyResource);
        openssl_free_key($publicKeyResource);
        if ($f) {
            return base64_encode($encrypted);
        }

💥 Impact

When used in practice, RSA is generally combined with some padding scheme. The goal of the padding scheme is to prevent a number of attacks that potentially work against RSA without padding.

References

We have contacted a member of the w7corp/easywechat team and are waiting to hear back 2 years ago
Akshay Jain submitted a
patch
2 years ago
Akshay Jain
2 years ago

Researcher

https://github.com/w7corp/easywechat/pull/2135

安正超 validated this vulnerability 2 years ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
安正超 marked this as fixed with commit 0be9f8 2 years ago
Akshay Jain has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation