[JDEV] Still another patch ... (seed the rand() function)
m at tthias.net
Mon Oct 13 16:00:18 CDT 2003
Joe Hildebrand schrieb am 2003-10-13 13:09:26:
> Can't I send an iq:last to the server to find out how long it's been up? In
> which case, I as an attacker can get pretty close to guessing the seed...
Yeah, but I don't think this will help you. The only problem is that
without the patch you can force the server to use the same challenge
again. Just by knowing the challenge I don't see how this will help you
(for a passive attack).
The problem I see with the unpatched jadc2s is that cou listen to a
connection and see what a client responds to a given challenge - force
the server to use the same challenge again (or wait for it) and you can
log in with the response you sniffed.
But as I said: you're right. The hole thing with rand() is not the best
sollution. Maybe it would be a good idea to use the RAND_*() functions of
openssl if compiled with SSL support.
For kibibytes see:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
More information about the JDev