Bugtraq mailing list archives
Re: Jetty Session ID Prediction
From: Amit Klein <aksecurity () gmail com>
Date: Mon, 05 Feb 2007 20:42:00 +0200
NGSSoftware Insight Security Research wrote:
================= Technical Details ================= java.util.random implements a linear congruential generator, of the following form: synchronized protected int next(int bits) { seed = (seed * 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1); return (int)(seed >>> (48 - bits)); } Jetty generates a 64-bit session id by generating two 32-bit numbers in this way, so we end up with an encoded 64-bit integer. By decoding the integer and splitting it into its two component 32-bit integers, we caneasily brute-force the generator's internal state.
So it outputs the full 64 bit integer (encoded), huh? consider yourself lucky ;-) With Apache JServ, I had to deal with a session ID constructed in a similar manner, yet only the last 6 symbols were output (~31 bits out of the 64). You can read about this in my "Hacking Web Applications Using Cookie Poisoning" (April 2002) - http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf Apache JServ is "example #2" in that text. You may find part of my analysis relevant to this (Jetty) case as well (BTW - do you plan to make your tool/source available?)
Regards, -Amit
Current thread:
- Jetty Session ID Prediction NGSSoftware Insight Security Research (Feb 05)
- Re: Jetty Session ID Prediction Amit Klein (Feb 05)
- Re: Jetty Session ID Prediction Michal Zalewski (Feb 05)
- Re: Jetty Session ID Prediction Amit Klein (Feb 06)
- Re: Jetty Session ID Prediction Michal Zalewski (Feb 06)
- Re: Jetty Session ID Prediction Amit Klein (Feb 06)
- <Possible follow-ups>
- Re: Jetty Session ID Prediction Chris Anley (Feb 06)
- Re: Jetty Session ID Prediction Amit Klein (Feb 06)
- Re: Jetty Session ID Prediction Chris Anley (Feb 07)
- Re: Jetty Session ID Prediction Michal Zalewski (Feb 06)
- Re: Jetty Session ID Prediction Amit Klein (Feb 06)