Toutes nos publications

Breaking Python's PRNG with a few values and no bruteforce

Python’s random module utilizes the Mersenne Twister PRNG, specifically MT19937. It’s a well-known fact that this PRNG is not cryptographically secure, as with access to 624 outputs from this PRNG it becomes possible to predict subsequent outputs. On the same subject, Ambionics Security demonstrated that it is possible to recover the Mersenne Twister seed knowing only two outputs of PHP’s mt_rand() function, without any bruteforce.

In this post, our focus will be on Python’s random implementation, drawing comparisons to PHP’s approach. We’ll cover the similarities and differences, particularly in how seeding is performed. Furthermore, we’ll demonstrate that even with a small number of outputs (as few as 6 for a 32-bit seed, akin to PHP), it’s feasible to deduce Python’s original seed.

Locking the Vault: The Risks of Memory Data Residue

Most of today’s applications handle sensitive data like passwords, cryptographic keys or any other confidential information. Managing these secrets is a fundamental responsibility of any application. However, what happens to them when they’re no longer needed? Their disposal becomes a non-negotiable aspect of data security as leaving traces can open a door for potential attackers.

In this post we will delve into the technical aspects of securely erasing sensitive data from memory, outlining why it’s essential and how to do it correctly. We’ll explore the often-underestimated risks associated with leaving remnants of such information in volatile memory and provide practical methods to ensure they are eradicated completely.

Remote Buffer Overflow in StrongSwan + TKM

The TKM-backed version of the charon IKE daemon (charon-tkm) doesn’t check the length of received Diffie-Hellman public values before copying them to a fixed-size buffer on the stack, causing a buffer overflow that could potentially be exploited for remote code execution by sending a specially crafted and unauthenticated IKE_SA_INIT message.

All strongSwan versions since 5.3.0, up to and including 5.9.11 are affected.

Setups that don’t use charon-tkm as IKE daemon are not vulnerable. The charon-tkm version that supports multiple key exchanges (tkm-multi-ke branch on GitHub) is not vulnerable either.

Mastering the use of Android BroadcastReceiver

Over the years and updates, the Android operating system has become more sophisticated with a bunch of new features. While this is a positive aspect for the end user, it can make application development more complex, increase the number of errors made by developers and lead to vulnerabilities. This is particularly true for Intent management and inter-process communication mechanisms. In fact, Android offers a set of tools enabling applications to communicate with each other. Among them, intents are the focus of attention since they enable activities, services and broadcasts to be started.

This blog post aims to present the BroadcastReceiver component and see how it can be used in a secure way.

A journey using Android static source code analysis tools

In a decade, mobile applications became a daily tool simplifying people’s lives worldwide (from accessing bank account to watching movies etc.). This trend has brought to light a new attack surface and vulnerabilities began to arise due to the huge amount of functionalities offered by the mobile OS.

This blog post aims to present and compare open source tools to see their ability to detect complex vulnerabilities.

Initialization vector mishandling

To encrypt data, one needs to choose a suitable encryption algorithm and generate a key, but most of the time additional parameters are required. In this blog post, we will focus on the initialization vector (IV), which is a parameter used by the most common symmetric encryption algorithms (AES-CBC, AES-CTR and AES-GCM). The majority of vulnerabilities I encounter during cryptographic reviews come from mishandling of this IV.

In this post we will look at what an IV is, why it is important and how to handle it safely depending on the chosen algorithm.