Analysis: 0-Day NYC Transit System “Free Ride” Bug

I found this bug by accident on my way home from work tonight. The reason I am writing this even though it’s a 0-day:

  1. I do not think it’s widely exploitable.
  2. And if it is, NYC isn’t losing any money over it as far as I could tell.
  3. It will help the MTA/NYC Transit find and fix the problem
  4. I’m not sure it’s reproducible since I wasn’t about to spend my own time and money to test it

Technically what I describe below is a security issue because it denies legitimate users entry/access and could allow a non-legitimate user a “free ride” if they happen to be in the right place at the right time. It might also cost a legitimate user an extra fare since they might swipe again at a different turnstile since they will assume they just swiped at a broken one.

Here’s the scenario that happened to me coming home from work tonight at around 7PM. Imagine three turnstiles lined up in a row.

  1. I swiped my unlimited metrocard at right most turnstile to enter subway system. I was denied access. It said ‘Go’ on the green readout but the turnstile wheel was locked. I swipe again and received the ‘Just Used’ message.
  2. Woman behind me swipes and turn style denies her access in the same way. (She then “hops the turnstile” and enters subway system.)
  3. As I try to swipe my card again and on the other turnstiles I continue to receive the “Just Used” Message. The left most turnstile readout says, “Just Usedd” with two Ds. I probably try around 5 times in the next few minutes. (I know I need to wait 15 min for the ‘Just Used’ flag to clear but I worked late and thought I might get lucky!)
  4.  Legitimate users enter and leave the subway system through turnstiles. I don’t recall how many or which one’s they used. Although tired I don’t recall this watching and step 3 combined being more than 5 minutes.
  5. A legitimate user swipes card in middle turnstile to enter the subway and the right turnstile — without prompting or a card swipe (no one is in proximity) — lights up ‘Go’ on the green readout and allows access.

If NYC transit wants to contact me I’ll give them the location of the turnstile for them to investigate.

How to keep a really BIG secret?

EW quotes J.J. Abrams — who created the modern day Star Trek movie franchise (here, here) — on how he keeps all his movie details secret despite such a large scale production. He says:

Yet Abrams says he doesn’t bully and nag his teams on the subject. “It’s not like there are threats, it’s not like we’re begging them every day,” he says. “We just say up front that all the work we’re doing is about making this a special experience for the viewer; let’s preserve that as long as we can.”

I speculate that it’s more about the non-disclosure clause in contracts signed by the employees, contractors, etc. who are working on the project. What is said up front is probably more like a friendly reminder about what’s in the contract and by mentioning it is reinforces the seriousness of the agreement.

PHP uniqid() – Entropy Analysis and Potentially Vulnerable Apps

This research started with my reporting a zero-day that Front Accounting’s reporting used uniqid() and it’s file names were non-random. Given where the application saves these reports by default they are retrievable by anyone who can guess the proper URL report name. OSVDB asked me to what extent does this issue overlap with a larger, previously reported PHP issue of non-randomness in the generation of PHPSESSIONID. Over the course of my research I discovered that, while both suffered issues of non-randomness, uniqid() and LCG were independent from each other after PHP3. As of PHP4+, uniqid() is not used to generate session cookies. While uniqid()  uses an LCG randomness routine it only does so when the more_entropy flag is set by the developer. LCG is not the cause of the lack of uniqid() entropy. In fact it is just the opposite. It helps it when the flag is set but not significantly. As such it is my humble opinion that CVE and OSVDB descriptions needed to be updated to reflect this information. In our tweets Steve Christey was still worried — and rightly so — that many applications use the uniqid() function and might be vulnerable. So, here we are.

It’s clear that uniqid() is non-random. This is even reported in the PHP documentation. The question is how non-random is it? Furthermore, what’s the impact? How many apps are using the function?

I tested the non-randomness by writing some sample PHP code taken almost straight from the documentation. I did this because I felt it best to use the sample code provided by PHP to their users. I assume here that it will be the way most people will use the function (copy and paste). Two apps were written: one to test the function regularly and one to test it with added entropy. Since I’m not a math geek, I used burp‘s Sequencer functionality to test the entropy. I have fairly smallish sample sizess but I believe I do not need a larger ones to change the general nature of the result. (I leave this to the next researcher.) I then used Search Diggity to scan through google’s project code as well as doing a direct search. I attached a gallery with annotations showing the testing procedure and results.


With or without the more_entropy option, uniqid(), as represented in the PHP sample code and documentation, results in poor entropy and should not be used. According to burp, with a sample size of 4016 tokens, uniqid() without more_entropy is “extremely poor” and has a effective entropy of 10 bits. With a sample size of 7515 tokens, uniqid() with more_entropy enabled is “poor” with an effective entropy of 29 bits. According to burp the reliability of the sample sizes were either reasonable or good. It is my opinion that if the tests were conducted over a larger sample size the effective entropy will only decrease: by how much I’m not certain.

The question remains: are there vulnerable applications and to what extent? Search Diggity returns 100 instances of uniqid() being used on google code. Google’s own search engine returns 60K+ strings matching uniqid(). Important:  google’s query is a bit of a false indicator since it returns results that matches the string including languages other than PHP. And, I didn’t scan other repositories such as Sourceforge or Github.

Lesson 1: heed the PHP documentation and do not use uniqid() when the need for a random string arises. Lesson 2: it seems that there is a decent amount of potential vulnerable code.

Below are the pictures to support the research. Many thanks to OSVDB and Steve Christy for an excellent exchange of tweets. Enjoy and happy hunting.

PHP uniqid() and LCG non-randomness write-up

In twitter conversations with OSVDB the question arose whether the Front Accounting 2.3.13 Predictable File Name and Public Path vulnerability I disclosed yesterday had a connection with a previously reported LCG vulnerability in 2010 since the LCG in PHP apparently uses the uniqid() function.

Although there is a loose connection, the upshot is that they are different. Here’s why.

After checking though the PHP SVN this morning, it seems like the connection is tenuous at best. If we begin with the LCG revisions we notice that in branches 5.2 and 5.3 that we are adding entropy through as shown below:

But from our standpoint — determining the connection between LCG and uniqid() — this doesn’t matter much. It’s the fact that it uses the following structure and call:

The call to uniqid() also uses the timeval structure:

Unlike LCG, uniqid() adds it’s randomness in the following way:

Since randomness is added differently, the gettimeofday() function is in fact the only overlap between uniqid.c and lcg.c that concerns us to understand the connection and the difference for this analysis.

For our purposes to answer OSVDB’s initial inquiry the answer comes down to this:

  • Both LCG and the uniqid() function use the same gettimeofday call as the initial seed for randomness, whether through returning a string for uniqid() or as part of PHPSESSIONID
  • LCG and uniqid() are totally separate and use independent calls to fill data structures defined in separate areas of memory
  • the functions do not call one another at all
  • LCG uses the php_combined_lcg() function which does not use uniqid() in any functions below it for session token creation

From an attackers point of view, the key in the LCG attack is the ability to use a function such as uniqid() — which is much more likely to be used by a developer — to get the server’s seed (actual time on the box) and off of which we will base our attack on the PHPSESSIONID since neither offer enough entropy.

Conclusion 1: LCG does not use uniqid() as it’s seed generator. We can see this from the SVN of the committed LCG code linked to earlier: uniqid was neither removed or added. A quick search of the actual LCG code will show that this header or function is not included in the PHPSESSION generating code. The description in NVD and OSVDB is is in fact incorrect for the 2010 attack*.

Conclusion 2: The non-randomness I described in my Front Accounting vuln release is based solely off the uniqid() function and is independent from the LCG functions although both have a similar but not exact non-randomness issue.

I cannot take full credit for this as some of the critical pieces of the LCG attack analysis come from Andreas Bogk in this post at Full-Disclosure.

* The original post of the LCG issue in 2001 shows that PHPLIB session.c called uniqid() but code apparently is for PHP3 and is no longer maintained since 2007. This is most likely where the NVD / OSVBD confusion comes from. Note that the write-up and tool released by samy kamkar for the 2010 disclosure does not mention uniqid(). At no point is uniqid() used in session.c as described in the original 2001 post as of PHP4.

0-Day: Front Accounting 2.3.13 Predictable File Name and Public Path

Front Accounting (FA) had document storage capabilities. Three issues arise:

1) FA stores documents under the server root
2) FA uses a non-random way to generate the report names
3) these reports do not have any authentication, able to be retrieved by anyone

The known file locations are below where X is company number starting at 0 (zero).


The software uses the uniqid PHP routine which is known for being non-random:

Because it is difficult to show, please see the screen print below regarding the non-random name.

I emailed the software company through their website but did not receive a reply. This was also disclosed to but I believe it was not publicly reported since the email contained the image below as an attachment (or the original email was HTML and not TXT).


Forbes: Stuxnet may be of Chinese Origin

A logical alternative theory of who targeted Iran:

In 2008, China decided to assist the IAEA inspectors after it learned that Iran was in possession of blueprints to shape uranium metal into warheads, according to this article in The Telegraph. That same article discloses that Chinese designs for centerfuges were discovered in Iran, supplied via Pakistan’s AQ Khan.

On April 13, 2010, Beijing reiterated its opposition to Iran’s goal to develop nuclear weapons capabilities while stating that sanctions against Iran would be counter-productive. In other words, the PRC wanted to support its third largest supplier of oil (after Saudi Arabia and Angola) while at the same time seeking ways to get Iran to stop its uranium fuel enrichment program. What better way to accomplish that goal than by covertly creating a virus that will sabotage Natanz’ centerfuges in a way that simulates mechanical failure while overtly supporting the Iranian government by opposing sanctions pushed by the U.S. It’s both simple and elegant.

Bottom line: we’ll never know unless someone comes forward.

2000% Increase in Attacks on Israeli Websites

Interesting stats…. (Please do not post political propaganda on my site: it’s about information security not Middle East politics):

An increase of 2000% in attacks on pro-Israel and Israeli government websites was recorded in the first few days after the IDF takeover of the Turkish ship ‘Marmara’ headed for Gaza. Most of the attacks originated from Turkish and Palestinian sources.

Tests conducted by Internet security experts from IBM also found that the attackers managed to breakthrough to 500 Israeli websites and make changes or to plant propaganda on them.

IBM also found that Israeli government sites held up well to the attacks and most of the break-ins were into sites of companies and organizations in the private sector.

Rolling Stone Chronicles Criminal Hackers

Rolling Stone chronicles the lifestyle exploits of Albert Gonzalez, which you can find here in the USA Today article here.  Unfortunately I cannot provide a link to the actual RS article because it is paid only. You can find it at your local newsstand.

Man infects himself with computer virus

I’m not sure if this is innovative or just stupid:

University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus.

The virus, infecting a chip implanted in Gasson’s hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards.

All this was intentional, in an experiment to see how simple radio-frequency identification (RFID) chips like those used for tracking animals can host and spread technological diseases.

Latvia Hacker “Neo” is Folk Hero

From the AP wires:

Latvia’s police confirmed on Thursday they had unmasked the man who became a folk hero for hacking tax office data to reveal fat salaries still being paid to state officials despite an official austerity drive.

“Neo” became famous earlier this year for publishing the tax office data of highly paid state officials, some of whom continued to receive salaries that went into thousands of lats or who got bonuses even as the government was cutting old age pensions, raising taxes and reducing spending.

I guess he swallowed the Red Pill.