vendor:
Simple Machines Forum
by:
Raz0r
7.5
CVSS
HIGH
Random Number Generator Prediction
330
CWE
Product Name: Simple Machines Forum
Affected Version From: 1.1.2005
Affected Version To: 1.1.2005
Patch Exists: YES
Related CWE: N/A
CPE: a:simplemachines:simple_machines_forum
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2008
SMF <= 1.1.5 Admin Reset Password Exploit (win32-based servers)
SMF leaks current state of random number generator through hidden input parameter `sc` of the password reminder form. Since max random number generated with rand() on win32 is 32767 and session id is known an attacker can reverse the md5 hash and get the random number value. On win32 every random number generated with rand() is used as a seed for the next random number. So if SMF is installed on win32 platform an attacker can predict all the next random numbers. When password reset is requested SMF uses rand() function to generate validation code.
Mitigation:
Upgrade to the latest version of SMF.