Re: CVE-2014-6412 - WordPress (all versions) lacks CSPRNG

[Paul McMillan <paul () mcmillan ws>]

Seen this?

https://github.com/altf4/untwister

http://www.irongeek.com/i.php?page=videos/bsideslasvegas2014/bg04-untwisting-the-mersenne-twister-how-i-killed-the-prng-moloch

-Paul

On Tue, Feb 10, 2015 at 4:50 PM, Scott Arciszewski <scott () arciszewski me> wrote:
> Ticket opened: 2014-06-25
> Affected Versions: ALL
> Problem: No CSPRNG
> Patch available, collecting dust because of negligent (and questionably
> competent) WP maintainers
>
> On June 25, 2014 I opened a ticked on WordPress's issue tracker to expose a
> cryptographically secure pseudorandom number generator, since none was
> present (although it looks like others have tried to hack together a
> band-aid solution to mitigate php_mt_seed until WordPress gets their "let's
> support PHP < 5.3" heads out of their asses).
>
> For the past 8 months, I have tried repeatedly to raise awareness of this
> bug, even going as far as to attend WordCamp Orlando to troll^H advocate
> for its examination in person. And they blew me off every time.
>
> If anyone with RNG breaking experience (cough solar designer cough) can PoC
> it, without the patch I've provided you should be able to trivially predict
> the password reset token for admin users and take over any WordPress site
> completely.
>
> Eight fucking months.
>
> Patch available with unit tests and PHP 5.2 on Windows support at
> https://core.trac.wordpress.org/attachment/ticket/28633/28633.3.patch
>
> Scott
> https://scott.arciszewski.me
> @voodooKobra
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/