[JDEV] Still another patch ... (seed the rand() function)

Joe Hildebrand JHildebrand at jabber.com
Mon Oct 13 14:09:26 CDT 2003 

Can't I send an iq:last to the server to find out how long it's been up?  In
which case, I as an attacker can get pretty close to guessing the seed...

-- 
Joe Hildebrand

 

> -----Original Message-----
> From: Matthias Wimmer [mailto:m at tthias.net] 
> Sent: Saturday, October 11, 2003 5:11 PM
> To: jdev at jabber.org
> Subject: [JDEV] Still another patch ... (seed the rand() function)
> 
> Hi!
> 
> Sorry to flood this mailinglist this week end. ;-) This is 
> another patch for jadc2s.
> 
> jadc2s used the rand() function to generate ids for the 
> digest authentication but never seeds the rand() function. 
> The result is that with every restart of jadc2s it generates 
> the same sequence of ids again. This is a very bad behavior 
> especially on servers with less load.
> An attacker could takeover and account if he is able to sniff 
> connections and if he is able to crash jadc2s (or jadc2s is 
> restarted regularily). He can just sniff which id was sent to 
> the client and what the client sent back as response. 
> Afterwards he crashes jadc2s or waits for an other restart. 
> Then he just has to wait for the right moment where the 
> server will generate this key again (counting the logins), 
> connect to it and he will be successfully able to 
> authenticate as the other user. By changing the password he 
> has taken over the account.
> 
> The fix is to just seed the rand() function at startup of 
> jadc2s with the current time that will be different for every 
> restart. (But using
> rand() to generate the digest ids still isn't a very strong
> implementation.)
> 
> 
> Tot kijk
>     Matthias
> 
> --- jadc2s.c	2003-10-10 11:05:45.000000000 +0200
> +++ jadc2s-srand.c	2003-10-12 00:53:41.000000000 +0200
> @@ -200,6 +200,9 @@
>          return 1;
>      }
>  
> +    /* seed the rand() function */
> +    srand(time(NULL));
> +
>      /* start logging */
>      c2s->log = log_new("jadc2s");
>      log_write(c2s->log, LOG_NOTICE, "starting up");
> 
> --
> For kibibytes see:
> http://www.iec.ch/online_news/etech/arch_2003/etech_0503/focus.htm
>

More information about the JDev mailing list