

Lack of CSPRNG Threatens WordPress Sites - davio
http://threatpost.com/lack-of-csprng-threatens-wordpress-sites/111016

======
dbarlett
This is a very slanted piece. Read the original Trac ticket [1] instead.
Arciszewski's original patch wasn't merged because it was overly broad, lacked
unit tests, and had whitespace problems. He also started emailing one of the
lead developers directly [2] instead of the security team, then got up in arms
about lack of response.

[1]
[https://core.trac.wordpress.org/ticket/28633](https://core.trac.wordpress.org/ticket/28633)

[2]
[https://core.trac.wordpress.org/ticket/28633#comment:25](https://core.trac.wordpress.org/ticket/28633#comment:25)

~~~
sarciszewski
I would like to clarify that Andrew Nacin is not just "one of the lead
developers", he was the security team member who self-assigned this
deficiency.

Let me put it another way: I contacted the security team, Nacin responded.
Then a mix of human and technological error (he says it was an aggressive spam
filter) led to a communication breakdown.

> Arciszewski's original patch wasn't merged because it was overly broad,
> lacked unit tests, and had whitespace problems.

The problem was that my subsequent updates that addressed these issues were
met with radio silence. Now the developers have gotten actively involved and
they're on version 9 (thanks to dd32). Since the FD post, their response has
been largely professional, proactive, and conservative. I have no complaints
there.

EDIT: Also, my follow-up post to FD about this:
[http://seclists.org/fulldisclosure/2015/Feb/53](http://seclists.org/fulldisclosure/2015/Feb/53)

------
tptacek
MT rand is truly bad at generating security-sensitive randomness. The
exploitability of mt_rand is situational, though, and depends on:

* How long a single process with a single bucket of mt_rand state runs and reveals its state (if it's reloaded over and over, you get fewer bites at the apple to recover that state)

* How it's seeded (if you're in a position that requires you to recover state across multiple reloads)

* How much state is actually revealed (classic example: mt_rand instances that extract a single byte at a time, out of its 32 or 64 bit output)

It's never, ever a good idea to use mt_rand for security, but its mere use is
probably not necessarily a bona fide vulnerability.

~~~
rawnlq
According to this post it seems like you need 624 consecutive values from
mt_rand to recover the seed:
[https://jazzy.id.au/2010/09/22/cracking_random_number_genera...](https://jazzy.id.au/2010/09/22/cracking_random_number_generators_part_3.html)

(I agreed with everything you said, but it was just hard to follow without
understanding how mt rand is usually cracked)

~~~
tptacek
It's more complicated than that. The poster here isn't "cracking" MT, he's
recovering its internal state completely. Partial information gets you to a
place where you can run a cracking-like process against a system of
constraints, though.

In any case: as Stefan Esser points out on Twitter, Wordpress doesn't rely on
mt_rand for its password tokens.

------
mkr-hn
Unless I'm reading this wrong, wouldn't it require someone generating a new
password, then never changing it to something else?

~~~
davio
I think that's typical. Not sure if this is the case, but I think the danger
would be if you are able to use a "forgot password" link to enable the token.

~~~
tankenmate
Indeed, create a new throw away account; find out where in the PRNG table the
password came from for this throw away account. Use that information to guess
the next "Reset password" password then use that to hijack the target account.

------
leepowers
Is there a WordPress plugin that implements the updated RNG? The `wp_rand`
function is pluggable.

It's heartening to see this addressed _before_ it becomes a vulnerability.

------
CHY872
Mm, seems a bit hyperbolic, like a Wired article.

