Bugtraq mailing list archives
Re: SNI-12: BIND Vulnerabilities and Solutions
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Wed, 23 Apr 1997 00:09:51 -0600
It attempts to make the query ID unpredictable, but fails -- the "random" numbers it generates are still predictable (after a trivial 2^16 offline trials).
Did you include all the details included in res_random.c such as the code which causes the entire system is reset with whole new seeds after a fixed period of time (300 seconds is it)? You can predict a sequence and feed it the next few numbers before the generator reseeds itself? Hmm. I'll let Niels comment further ;-)
And the seeding is terrible -- two years ago Netscape used timeofday and pid to seed their PRNG, too, and look what happened to them.
Hey, I make no apologies for operating systems that ship without a source of strong(ish) random numbers in their libc! If res_random.c is compiled on a machine that #defines __OpenBSD__ the source patch does not supply a fake arc4random() routine; instead the OpenBSD version of the routine is used which uses an RC4 generator seeded from a source of stronger random data supplied by the kernel. (OpenBSD also uses this random in a number of other ... interesting places ;-) I supplied the arc4random() routine and well, it sucks; I was writing it as quick as I could. I think it's clear that anyone who wanted to use the code should replace that part with something a bit better. I'd invite anyone else who comes up with something better to make it available. Remember it goes into libc of every program that calls gethostby*.... I don't think there is a "solution" to the problem. We're talking bandaids. I've never felt the raw power of a T3, but I suppose they'd be able to bombard fast enough to still get in via brute force. I hope what we worked on makes it hard, perhaps someone else can make it better.
Current thread:
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems), (continued)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Johannes Erdfelt (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Gene Spafford (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Michael K. Sanders (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Johannes Erdfelt (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Yiorgos Adamopoulos (Apr 24)
- firewall-1: old broadcast address hole? Tom Vandepoel (Apr 24)
- CERT Advisory CA-97.10 - Vulnerability in Natural Language Service Aleph One (Apr 24)
- CERT Vendor-Initiated Bulletin VB-97.02 - Guestbook Script Vul Aleph One (Apr 24)
- [linux-security] Linux squake security hole (provides root if Aleph One (Apr 24)
- Re: SNI-12: BIND Vulnerabilities and Solutions (+ more problems) Johannes Erdfelt (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions David Wagner (Apr 22)
- Re: SNI-12: BIND Vulnerabilities and Solutions Theo de Raadt (Apr 22)
- ANUNCIO: Nueva lista sobre seguridad, en espanol Ivan Arce,CORE (Apr 22)
- Re: ANUNCIO: Nueva lista sobre seguridad, en espanol The CyberFish (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions David Wagner (Apr 23)
- Re: SNI-12: BIND Vulnerabilities and Solutions David Wagner (Apr 23)