[JDEV] Still another patch ... (seed the rand() function)

Matthias Wimmer m at tthias.net
Mon Oct 13 16:00:18 CDT 2003


Hi Joe!

Joe Hildebrand schrieb am 2003-10-13 13:09:26:
> Can't I send an iq:last to the server to find out how long it's been up?  In
> which case, I as an attacker can get pretty close to guessing the seed...

Yeah, but I don't think this will help you. The only problem is that
without the patch you can force the server to use the same challenge
again. Just by knowing the challenge I don't see how this will help you
(for a passive attack).

The problem I see with the unpatched jadc2s is that cou listen to a
connection and see what a client responds to a given challenge - force
the server to use the same challenge again (or wait for it) and you can
log in with the response you sniffed.

But as I said: you're right. The hole thing with rand() is not the best
sollution. Maybe it would be a good idea to use the RAND_*() functions of
openssl if compiled with SSL support.


Tot kijk
    Matthias


-- 
For kibibytes see:
http://www.iec.ch/online_news/etech/arch_2003/etech_0503/focus.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20031013/d285db00/attachment-0002.pgp>


More information about the JDev mailing list