Advisory 04/2008: Joomla Weak Random Password Reset Token Vulnerability

                          SektionEins GmbH
                         www.sektioneins.de

                      -= Security  Advisory =-

     Advisory: Joomla Weak Random Password Reset Token Vulnerability
 Release Date: 2008/09/11
Last Modified: 2008/09/11
       Author: Stefan Esser [stefan.esser[at]sektioneins.de]

  Application: Joomla <= 1.5.7
     Severity: Usage of mt_rand() and mt_srand() for generation
               of cryptographic secrets like random password
               reset tokens
         Risk: High
Vendor Status: Vendor has released a partially fixed Joomla 1.5.7
    Reference: http://www.sektioneins.de/advisories/advisory-042008-joomla-weak-random-password-reset-token-vulnerability.html
               http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

Overview:

   Quote from http://www.joomla.org
   "Joomla is an award-winning content management system (CMS), which
    enables you to build Web sites and powerful online applications.
    Many aspects, including its ease-of-use and extensibility, have
    made Joomla the most popular Web site software available."

   During an analysis of the password reset vulnerability fixed in
   Joomla 1.5.6 we realized that Joomla does not only generate random
   password reset tokens with mt_rand(), which is not secure enough
   for cryptographic secrets anyway, but additionally initializes the
   PRNG with a weak seed that results in less than 1.000.000 possible
   password reset tokens.

   Because there are only 1.000.000 possible password reset tokens an
   attacker can trigger a reset of the admin password and then try out
   all possible password reset tokens until he finds the correct one.
   Even with a home DSL line (as used in germany) breaking into the
   admin account should be possible in less than 3 hours. However
   attackers are usually bouncing over much faster hosts.

   In response to our report Joomla 1.5.7 was released (without sharing
   the patch with us prior the release) which replaces the very weak PRNG
   seeding with a new seed that is about 2^32 in strength. While this
   stops the simple brute forcing attack Joomla's password reset token
   is still vulnerable to mt_rand() leak attacks and because Joomla still
   seeds the PRNG with mt_srand() it is a potential threat to other PHP
   applications or plugins using mt_rand() on the same server.

Details:

   The problems arising from using mt_(s)rand for cryptographic secrets
   and possible attacks against PHP's PRNG and PHP applications using it
   are explained by the blog post "mt_(s)rand and not so random numbers"
   which is available here:

   http://www.suspekt.org/2008/08/17/mt_srand-and-not-so-random-numbers/

Proof of Concept:

   SektionEins GmbH is not going to release a proof of concept
   exploit for this vulnerability.

Disclosure Timeline:

   15. Aug 2008 - Sent notification to Joomla about the vulnerability
   20. Aug 2008 - Resent notification because no reply from Joomla
   20. Aug 2008 - Received confirmation
   21. Aug 2008 - Received a forwarded message from vendor-sec discussing
                  the vulnerability - obviously Joomla shared our report
                  with vendor-sec without asking or notifying us.
   21. Aug 2008 - In a reply to the forwarded message we recommended NOT
                  TO USE mt_srand for the password reset
   03. Sep 2008 - On Joomla.org appears a blog post notifying their users
                  that they should upgrade to Joomla 1.5.6 immediately
                  because of security issues with the password reset
   09. Sep 2008 - The Joomla Development Team releases Joomla 1.5.7
                  without telling us about this or consulting us to review
                  their patch
   11. Sep 2008 - Public Disclosure after learning about the new
                  Joomla 1.5.7 in the media

Recommendation:

   It is recommended to upgrade not only to the latest version of Joomla
   which also fixes additional vulnerabilities reported by third parties,
   but also to install the Suhosin PHP extension, which comes with a
   generic protection against mt_(s)rnad vulnerabilities.

   Upgrading only Joomla does not fix the whole problem.

   Grab your copies at:

   http://www.joomla.org
   http://www.suhosin.org

CVE Information:

   The Common Vulnerabilities and Exposures project (cve.mitre.org) has
   not assigned a name to this vulnerability yet.

GPG-Key:

   pub  1024D/15ABDA78 2004-10-17 Stefan Esser <stefan.esser@sektioneins.de>
   Key fingerprint = 7806 58C8 CFA8 CE4A 1C2C  57DD 4AE1 795E 15AB DA78

Copyright 2008 SektionEins GmbH. All rights reserved.</stefan.esser@sektioneins.de>