[JDEV] Still another patch ... (seed the rand() function)
Matthias Wimmer
m at tthias.net
Mon Oct 13 16:00:18 CDT 2003
Hi Joe!
Joe Hildebrand schrieb am 2003-10-13 13:09:26:
> Can't I send an iq:last to the server to find out how long it's been up? In
> which case, I as an attacker can get pretty close to guessing the seed...
Yeah, but I don't think this will help you. The only problem is that
without the patch you can force the server to use the same challenge
again. Just by knowing the challenge I don't see how this will help you
(for a passive attack).
The problem I see with the unpatched jadc2s is that cou listen to a
connection and see what a client responds to a given challenge - force
the server to use the same challenge again (or wait for it) and you can
log in with the response you sniffed.
But as I said: you're right. The hole thing with rand() is not the best
sollution. Maybe it would be a good idea to use the RAND_*() functions of
openssl if compiled with SSL support.
Tot kijk
Matthias
--
For kibibytes see:
http://www.iec.ch/online_news/etech/arch_2003/etech_0503/focus.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://www.jabber.org/jdev/attachments/20031013/d285db00/attachment-0002.pgp>
More information about the JDev
mailing list