[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAO_YWRWY=7=GS7bAdkueZ9ZJV4ABU5N8WP7OgZmyqJNPk1X3xg@mail.gmail.com>
Date: Thu, 12 Feb 2015 01:13:40 +0000
From: Paul McMillan <paul@...illan.ws>
To: Scott Arciszewski <scott@...iszewski.me>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] CVE-2014-6412 - WordPress (all versions) lacks CSPRNG
Seen this?
https://github.com/altf4/untwister
http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/bg04-untwisting-the-mersenne-twister-how-i-killed-the-prng-moloch
-Paul
On Tue, Feb 10, 2015 at 4:50 PM, Scott Arciszewski <scott@...iszewski.me> wrote:
> Ticket opened: 2014-06-25
> Affected Versions: ALL
> Problem: No CSPRNG
> Patch available, collecting dust because of negligent (and questionably
> competent) WP maintainers
>
> On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a
> cryptographically secure pseudorandom number generator, since none was
> present (although it looks like others have tried to hack together a
> band-aid solution to mitigate php_mt_seed until WordPress gets their "let's
> support PHP < 5.3" heads out of their asses).
>
> For the past 8 months, I have tried repeatedly to raise awareness of this
> bug, even going as far as to attend WordCamp Orlando to troll^H advocate
> for its examination in person. And they blew me off every time.
>
> If anyone with RNG breaking experience (cough solar designer cough) can PoC
> it, without the patch I've provided you should be able to trivially predict
> the password reset token for admin users and take over any WordPress site
> completely.
>
> Eight fucking months.
>
> Patch available with unit tests and PHP 5.2 on Windows support at
> https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch
>
> Scott
> https://scott.arciszewski.me
> @voodooKobra
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists