Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20170822213252.GA11156@openwall.com>
Date: Tue, 22 Aug 2017 23:32:52 +0200
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] php_mt_seed 4.0 adds PHP 7.1.0+ and 5.2.0- support

Hi,

php_mt_seed is a PHP mt_rand() seed cracker.  A couple of weeks ago, I
announced php_mt_seed 3.3, which expanded support for SIMD instruction
sets from the previous range of SSE4.1 to AVX2/MIC to also include SSE2
on the lower end and AVX-512 on the high end:

http://www.openwall.com/lists/announce/2017/08/06/1

Now I announce php_mt_seed 4.0, which expands the range of supported PHP
versions from the previous 5.2.1 to 7.0.x to also include 3.0.7 to 5.2.0
on the legacy side and 7.1.0+ to current latest (7.2.0beta3 as of this
writing) and hopefully beyond on the modern side.

The new php_mt_seed 4.0 is downloadable at the usual location:

http://www.openwall.com/php_mt_seed/

php_mt_seed 4.0 automatically checks for seeds for the 3 major revisions
of PHP's mt_rand() algorithm.  First it searches for seeds for the
legacy PHP 3.0.7 to 5.2.0, which it typically completes in a fraction of
a second.  Then it proceeds to search for seeds for PHP 5.2.1 to 7.0.x
and for PHP 7.1.0+ simultaneously, which takes a while.  Curiously, in
the simplest cases (such as when searching for seeds for the very first
mt_rand() output after seeding) there's essentially no slowdown from
supporting those 3 PHP version ranges at once.  That's because the
attack on legacy PHP 3.0.7 to 5.2.0 is so quick (due to precomputation
of 69069 raised to the power 396 (mod 2**32), for the curious), and the
attack on PHP 5.2.1+ has most of its processing common with the attack
on PHP 7.1.0+.  In more complex cases, the 3 algorithms deviate to a
greater extent, so significant slowdown may be seen.  In a future
version of php_mt_seed, I might add a way to specify which PHP
version(s) to target, but meanwhile php_mt_seed only outputs which PHP
versions the found seeds are for, like this (on dual E5-2670 v1):

    $ time ./php_mt_seed 1871584565
    Pattern: EXACT
    Version: 3.0.7 to 5.2.0
    Found 0, trying 0x48000000 - 0x4bffffff, speed 24159.2 Mseeds/s
    seed = 0x4be01ac0 = 1272978112 (PHP 3.0.7 to 5.2.0)
    seed = 0x4be01ac1 = 1272978113 (PHP 3.0.7 to 5.2.0)
    Found 2, trying 0x5c000000 - 0x5fffffff, speed 25725.1 Mseeds/s
    seed = 0x5fe49e4e = 1608818254 (PHP 3.0.7 to 5.2.0)
    seed = 0x5fe49e4f = 1608818255 (PHP 3.0.7 to 5.2.0)
    Found 4, trying 0xfc000000 - 0xffffffff, speed 28185.7 Mseeds/s
    Version: 5.2.1+
    Found 4, trying 0x86000000 - 0x87ffffff, speed 234.4 Mseeds/s
    seed = 0x86d2e002 = 2261966850 (PHP 7.1.0+)
    Found 5, trying 0xc2000000 - 0xc3ffffff, speed 234.5 Mseeds/s
    seed = 0xc24768d7 = 3259459799 (PHP 5.2.1 to 7.0.x; HHVM)
    seed = 0xc24768d7 = 3259459799 (PHP 7.1.0+)
    Found 7, trying 0xc6000000 - 0xc7ffffff, speed 234.4 Mseeds/s
    seed = 0xc6d8b812 = 3336091666 (PHP 5.2.1 to 7.0.x; HHVM)
    seed = 0xc6d8b812 = 3336091666 (PHP 7.1.0+)
    Found 9, trying 0xfe000000 - 0xffffffff, speed 234.5 Mseeds/s
    Found 9

    real    0m18.478s
    user    9m48.751s
    sys     0m0.015s

Besides the addition of support for more PHP versions, I've also cleaned
up the code (so that the source file size increased only from 18 KB to
19 KB, despite of the major added functionality) and rewrote new/real
documentation (the README file is now up to 29 KB, so larger than the
source code).  Like before, README is also viewable on the web, with
HTML formatting:

http://www.openwall.com/php_mt_seed/README

Its table of contents is:

    What is php_mt_seed?
    Why crack mt_rand() seeds?
    How to build php_mt_seed
    How to use php_mt_seed
    Command-line syntax
    Complex usage example
    When extra tools or php_mt_seed changes are needed
    Xeon Phi specifics
    PHP version curiosities (mostly unimportant)
    Contact info

The section on "PHP version curiosities" is quite lengthy and describes
the history of PHP's mt_rand() since its introduction in PHP 3.0.6 to
present day and even beyond, talking about two current bugs that are
likely to get fixed.  I discovered and reported one of those bugs during
work on this version of php_mt_seed, and a PHP developer discovered the
other while proposing a fix for the bug I reported.

Finally, I've added to the php_mt_seed homepage many links to external
web pages illustrating usage of php_mt_seed (including CTF writeups)
and, separately, to other relevant external web pages and projects,
which together cover PRNG seed cracking way beyond PHP's mt_rand() and
provide a historical background.

This took quite some effort, and I hope some of you find it useful.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.