VBScript and the Randomize function

From: Matt Watchinski (matt@farm9.com)
Date: 08/17/01

Message-ID: <3B7C565F.C268F83B@farm9.com>
Date: Thu, 16 Aug 2001 18:25:19 -0500
From: Matt Watchinski <matt@farm9.com>
To: secprog@securityfocus.com
Subject: VBScript and the Randomize function

During a OS level penetration test I came across an application that
used a function similar to the following to generation session keys for
tracking Web users. This function generated a 11 digit string "unique"
key that tracked the session. My question is; is this function really
random or will it repeat in a predictable sequence? I haven't been able
to find very good documentation how the VBScript Randomize function
seeds itself (other than system timer, whatever that is referencing is
unknown to me) so i was hoping some could help/point me in the right

Here is the function.

Function RandomFoo(length)
      Dim i
      RandomFoo = ""
      For i = 0 to length
           RandomFoo = RandomFoo & Chr(Int(26 * Rnd + 65))
End Function


One quick note if (system timer) the seed for Randomize with no
arguments is reverseable from system time IE the number of seconds from
epoch, does it change the predictability of the function.

if this isn't the correct list for such a question please point me in
the right direction. I thought it would have some bearing here though,
as i've seen very similar things in lots of we application.