home page || follow my twitter || blog || email me || samy kamkar

Read the full PHPWN paper here (presented at Black Hat & DEF CON 2010)

phpwn: Attack on PHP sessions and random numbers

Studying PHP's (5.3.1 and below) LCG (linear congruential generator, a pseudorandom number generator), I discovered that there are weaknesses that reduce the complexity of determining the sequence of pseudorandom numbers. What this means is that PHP is severely deficient in producing random session IDs or random numbers, leading to the possibility of stealing sessions or other sensitive information.

The initial seed can be reduced from 64-bits to 35-bits, and with PHP code execution, can be reduced further down to just under 20-bits, which takes only seconds to recreate the initial seed. You can test with sources available below.

Mad hax0r pr0pz to Arshan "DHS-most-wanted" Dabirsiaghi (bless you) and Amit "smartypants" Klein for pointing me in the right direction with the LCG. Other tools to work out the LCG in forward and reverse, as well as determine session IDs, found below.


Warning: session_start(): Cannot send session cookie - headers already sent by (output started at /var/www/samy/phpwn/index.php:21) in /var/www/samy/phpwn/index.php on line 25

Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /var/www/samy/phpwn/index.php:21) in /var/www/samy/phpwn/index.php on line 25
Hi 3.16.135.226! The time is 1733247268

To test breaking the seed, run the following (after compiling s1s2.c)
time ./s1s2 13806 0.81230854966986

Can you guess my next lcg_value based off the above? (hint: it's 0.11178542419481).
Test by running: time ./lcg-state-forward [s1] [s2] 100

Your session_id is 47dc3ee10ef6c19c33f5a45c11e09e24 (or just look at your cookie)

Source for this page:
session_start();

echo "Hi $_SERVER[REMOTE_ADDR]! The time is " . time() . "<p>";

echo "To test breaking the seed, run the following (after compiling <a href='s1s2.c'>s1s2.c</a>)<br>";

echo "<code>time <a href='s1s2.c'>./s1s2</a> " . getmypid() . " " . lcg_value() . "</code><p>";

echo "Can you guess my next lcg_value based off the above? (hint: it's " . lcg_value() . ").<br>";
echo "Test by running: <code>time <a href='lcg-state-forward.c'>./lcg-state-forward</a> [s1] [s2] 100</code><p>";

echo "Your <a href='http://www.test.com/search?q=" . session_id() . "'>session_id</a> is " . session_id() . " (or just look at your cookie)";

Index of /phpwn

[ICO]NameLast modifiedSizeDescription
[DIR]Parent Directory  -
[TXT]lcg-state-forward.c07-Jan-2010 11:53 1.0K
[TXT]lcg-state-reverse.c06-Sep-2009 10:44 2.7K
[TXT]s1s2-rand.c06-Sep-2009 10:44 2.1K
[TXT]s1s2-session.c06-Sep-2009 10:44 3.2K
[TXT]s1s2.c07-Jan-2010 11:44 3.4K
[TXT]time-lcg-session.c07-Jan-2010 11:45 3.2K
[TXT]time-session.c07-Jan-2010 11:46 4.6K
developed by samy kamkar, 08/24/2009