Attacker can write to /dev/urandom on Windows; subsequent reads get non-random data

paragonie / random_compat

PHP 5.x support for random_bytes() and random_int()

https://paragonie.com/projects

MIT License

8.17k stars 144 forks source link

Attacker can write to /dev/urandom on Windows; subsequent reads get non-random data #49

Closed cweagans closed 9 years ago

cweagans commented 9 years ago

See https://www.drupal.org/node/2550519#comment-10442967 for the concern. Is this something that you'd be interested in mitigating in random_compat?

paragonie-scott commented 9 years ago

See the latest comments in #5 -- if we drop support for old OpenSSL we'll have to tag that as a 1.1.0 branch because of BC concerns.

cweagans commented 9 years ago

Actually, this doesn't have anything to do with OpenSSL.

The idea is that if some process manages to write a file to /dev/urandom on Windows, anything that's trying to read /dev/urandom will get a decidedly non-random value (i.e. just the contents of the file).

tom-- commented 9 years ago

/dev/urandom on Windows

cweagans commented 9 years ago

Yes, I know it doesn't exist. If you try to write a file to /dev/urandom, it's presumably saved somewhere, right? I'm really not sure, to be honest. It's been a long, long time since I've done anything on a Windows box. Followed up on the d.o issue for clarification: https://www.drupal.org/node/2550519#comment-10443329

tom-- commented 9 years ago

I get it. On Windows, an attacker could write a file to "C:\dev\urandom" and an unwitting PHP script might read that when reading from path "/dev/random" and not know that it's bogus.

I have to try this out right away. It's a terrifying idea.

cweagans commented 9 years ago

Right. It seems like PHP should complain loudly about that, but then again, there's a lot of things PHP should do that it doesn't (and vice versa).

tom-- commented 9 years ago

https://gist.github.com/tom--/556f475c44516d296270

This is really serious.

cweagans commented 9 years ago

omfg.

paragonie-scott commented 9 years ago

Right. This won't work on random_compat because we have sanity checks already.

But excluding Windows from ever attempting /dev/urandom hurts nothing: https://github.com/paragonie/random_compat/commit/f56c3e7cf10c5860f69ef67c24d84fc8508c2140

narfbg commented 9 years ago

This has never been a problem for random_compat - I know because I was looking for it while initially reviewing the code and would've alerted about it.

tom-- commented 9 years ago

I'm very glad to hear that.

What's terrifying is for years we've been telling people "use dev urandom" without warning them about this hazard. This is a very easy thing to overlook.

tom-- commented 9 years ago

@cweagans I produced an infographic. Perhaps you'd like to share it on that Drupal issue.

dev random on Windows

paragonie-scott commented 9 years ago

Do the added checks, plus the ones that we arleady had in place, solve this issue?

tom-- commented 9 years ago

@paragonie-scott I think so.