<< Previous Next >>
randomized
Blimey, where does the time go??? Yes, it's already only a week to go
before the next DC4420 meet...
Last week, inspired by Paco Hope's awesome randomness talk, Zac, Caezar
and I went out for a really good lunch and discussed randomness and how
to achieve it. As Paco says, it's quite hard to do it right.
Particularly if the lunch is really good and there is plenty of beer!
However, we have a CunningPlan(tm). We told Paco about it. He said it
(probably) didn't completely suck. We will share with you...
www.sektioneins.de
-= Security Advisory =-
Advisory: Joomla Weak Random Password Reset Token Vulnerability
Release Date: 2008/09/11
Last Modified: 2008/09/11
Author: Stefan Esser [stefan.esser[at]sektioneins.de]
Application: Joomla <= 1.5.7
Apologies I should clarify.
In this attack legitimate pages on a site are first populated with
html tags embedding Javascript like so
<script language='JavaScript' type='text/javascript' src='{random
name}.js'></script>
these all point to the page you sent on. All the Mp3, quicktime, etc
stuff are expoits that are launched against the browser of the victim
who browses to the site.
> Because its just a 16-bit field. DNS is broken. Cache poisoning will
> happen. Those are the facts on the ground. The only argument left
> is the degree of brokenness.
Perhaps. Even so, adding, as you (and many others) suggested previously,
UDP source port (strong) randomization, in combination with strong
transaction ID randomization would make poisoning way way harder than
where it is today. Instead of 16 bits, you'd have ~30 bits of (strong)
randomness. That's much better, and there's no reason I see why it can't
be implemented today.
Description
===========
Dan Kaminsky of IOActive has reported a weakness in the DNS protocol
related to insufficient randomness of DNS transaction IDs and query
source ports.
Impact
======
Folks,
Our document "Recommendations for Transport-Protocol Port
Randomization" has finally been published as RFC 6056.
Its abstract is:
---- cut here ----
During the last few years, awareness has been raised about a number
of "blind" attacks that can be performed against the Transmission
Control Protocol (TCP) and similar protocols. The consequences of
http://www.debian.org/security/ Florian Weimer
May 13, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : openssl
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166
Luciano Bello discovered that the random number generator in Debian's
Just over a week to go until this month's London DEFCON meet, so get it
in your diary now!
For the talks we have:
Tech Talk: Paco Hope of Cigital is going to present on randomness...
We've seen how to get good random numbers from hardware.
Given that, you would think that shuffling cards, rolling dice, and
random session identifiers would be easy. They're not. Our instincts and
intuition are often wrong. We'll look at shuffling and algorithms gone
The IPv6 protocol allowed remote attackers to cause a denial of
service via crafted IPv6 type 0 route headers that create network
amplification between two routers (CVE-2007-2242).
The random number feature did not properly seed pools when there was
no entropy, or used an incorrect cast when extracting entropy, which
could cause the random number generator to provide the same values
after reboots on systems without an entropy source (CVE-2007-2453).
A memory leak in the PPPoE socket implementation allowed local users
Update
======
The previous version of the PowerDNS Recursor (3.1.5) did not
properly address the issue, as UDP source port selection was
insufficiently randomized. We advise all users to upgrade to 3.1.6.
The updated sections appear below.
Affected packages
=================
The IPv6 protocol allowed remote attackers to cause a denial of
service via crafted IPv6 type 0 route headers that create network
amplification between two routers (CVE-2007-2242).
The random number feature did not properly seed pools when there was
no entropy, or used an incorrect cast when extracting entropy, which
could cause the random number generator to provide the same values
after reboots on systems without an entropy source (CVE-2007-2453).
A memory leak in the PPPoE socket implementation allowed local users
* The p_exec_query() function in src/dns_query.c does not properly
handle many entries in the answer section of a DNS reply, related to
a "dangling pointer bug" (CVE-2008-4194).
* The default value for query_port_start was set to 0, disabling UDP
source port randomization for outgoing queries (CVE-2008-1447).
Impact
======
An attacker could exploit the second weakness to poison the cache of
The buffer which contains the data received by the client in the Hello
packet has the following structure (from yassl_imp.hpp):
class ClientHello : public HandShakeBase {
ProtocolVersion client_version_;
Random random_;
uint8 id_len_; // session id length
opaque session_id_[ID_LEN];
uint16 suite_len_; // cipher suite length
opaque cipher_suites_[MAX_SUITE_SZ];
uint8 comp_len_; // compression length
> If I read the law correctly, it requires retention of "what IP
> connected to another IP" and "which phone number called where." It
> doesn't bother retaining the URL called (my German is rusty, so I may
> be a little off in my interpretation). Connecting to a random IP on a
> random open port (80 and 443, for example) would be a good start to
> accomplish the goal creating chatter. The issue is that the search
> terms to find those ports could lead to connecting to a site that
> increases your profile against general background chatter, even as it
> is raised with random connection traffic.
As a native German speaker, allow me to clarify: with respect to IP
This is Paul Vixie's response on this, when I asked him for verification:
-----
this bug has been reported over and over again for a dozen years. it's
odd to have to keep fixing it-- i fixed it in bind4 and bind8 when theo
de raadt offered me his random number generator to use. bind9 should've
used that same one but apparently didn't. note that with this fix, the
difficulty in poisoning someone's cache rises from "a few tens of seconds"
to "a few minutes". it's a 16-bit field. not a lot of room for
randomness or unpredictability. only DNSSEC, a protocol change, fixes
this problem, which is fundamentally a protocol problem. but since folks
A similar issue exists in the IPV4 protocol handler and will be fixed
in a subsequent update.
CVE-2007-2453
A couple of issues with random number generation were discovered.
Slightly less random numbers resulted from hashing a subset of the
available entropy. zero-entropy systems were seeded with the same
inputs at boot time, resulting in repeatable series of random numbers.
CVE-2007-2525
Hi,
I've found a few problems with the way DSL modems by a vendor Bharti and provided by Airtel (an Indian ISP) are setup. I've been talking
with Airtel on this over the past couple of months to try to get them to close the vulnerability. They feel that they have addressed the issue appropriately. Please find the details of the vulnerability below in the forwarded emails. The vulnerability can be verified by trying a telnet on any random Airtel IP (say 122.167.xx.xx).
Cheers,
Shishir
---------- Forwarded message ----------
From: Shishir Birmiwal <shr@birmiwal.net>
http://www.debian.org/security/ Florian Weimer
May 14, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : openssh
Vulnerability : predictable random number generator
Problem type : remote
Debian-specific: yes
CVE Id(s) : CVE-2008-0166
The recently announced vulnerability in Debian's openssl package
B.11.31 running v9.3.2 / Install revision C.9.3.2.3.0 or subsequent; Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf.
Note: Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf.
Note: Firewall configurations may need to be adjusted to allow DNS queries from random source ports to pass. In addition, firewalls that forward DNS queries must not replace the random source ports.
MANUAL ACTIONS: Yes - NonUpdate
Remove "query-source port" and "query-source-v6 port" options in /etc/named.conf. Check firewall settings.
The interest of the released paper is the exploitation environment: RedHat Linux + Exec-Shield + CPSHELL + many vulnerable binaries...
Summarizing, the system protections are:
- Non executable stack/heap,...
- Random stack/heap base address
- ASLR (Address Space Layout Randomization)
- ASCII Armor (libraries mapped under 16MB, so null byte in its address)
- CPSHELL - a hardened shell that only allows to run specific commands and a very restricted sub-range of ASCII chars.
Even if we are not reinventing the wheel, I honestly think that the exploitation scenario is far from "confortable"... At the end a P.o.C. exploit has been released for those who want to check that the vulnerability is really exploitable.
Linux + Exec-Shield + CPSHELL + many vulnerable binaries...
Summarizing, the system protections are:
- Non executable stack/heap,...
- Random stack/heap base address
- ASLR (Address Space Layout Randomization)
- ASCII Armor (libraries mapped under 16MB, so null byte in its address)
- CPSHELL - a hardened shell that only allows to run specific commands and a
very restricted sub-range of ASCII chars.
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
This update changes Debian's dnsmasq packages to implement the
recommended countermeasure: UDP query source port randomization. This
change increases the size of the space from which an attacker has to
guess values in a backwards-compatible fashion and makes successful
attacks significantly more difficult.
This update also switches the random number generator to Dan
lead to practical DNS cache poisoning attacks. Among other things,
successful attacks can lead to misdirected web traffic and email
rerouting.
The BIND 8 legacy code base could not be updated to include the
recommended countermeasure (source port randomization, see DSA-1603-1
for details). There are two ways to deal with this situation:
1. Upgrade to BIND 9 (or another implementation with source port
randomization). The documentation included with BIND 9 contains a
migration guide.
> -----Original Message-----
> From: Fernando Gont [mailto:fernando.gont@gmail.com]
> Sent: Friday, December 07, 2007 02:45
> To: bugtraq@securityfocus.com
> Subject: TCP Port randomization paper
>
> Folks,
>
> We have published a revision of our port randomization paper.
> This is the first revision of the document since it was accepted as a
Once again, a DNS cache poisoning against a popular DNS cache
server. This time, it's PowerDNS (the third most popular DNS
server, servicing over 40 million users). The vendor coded
several impressive security measures against DNS spoofing (e.g.
UDP source port randomization and spoofed response detection),
but relied on the standard C randomization facility (the rand()
and srand() functions in <stdlib.h>). The two popular stdlib
implementations analyzed, glibc (used with GNU C++ for Linux/
Unix-like systems) and MSVCRT (used with Microsoft's MSVC for
Windows) are shown to be easily predictable, thus enabling an
#2009-004 AjaxTerm session id collision
Description:
AjaxTerm, an open source web based terminal, uses a form of random session id
generation which can lead to remote session hijacking.
The ajaxterm.js script allocates session ids on the client side using the
following method:
Open html file above and click "Test!" button. After successful POST request
newly written remote file can be accessed like this:
http://localhost/cruxcms.3.0.0/Uploads/Misc/info-38656.php
As seen above, random string ("38656" in this specific example) is concatenated
to the filename. For successful exploitation therefore two options exists:
a) if webserver directory listing is enabled, then filename can be easily found
b) bruteforce is possible -> ~100 000 tries needed max for filename guessing
# Here is a modified version from the script written by the researcher Jeremy Brown
# http://jbrownsec.blogspot.com/2009/12/writing-code-that-breaks-code.html
#
use IO::Socket;
use String::Random;
$target = $ARGV[0];
$port = 548;
$protocol = tcp;
$maxsize =
Errata
******
The original paper mentioned that MacOS X has a particular
implementation bug wherein it always sets seed=0. However, this is
not accurate. the tmp variable changes each time ip_randomid() is
called, and thus it is not guaranteed that seed=0. Nevertheless, it
can be easily shown that seed=0 in about 50% of the key intervals.
This is because at the re-keying time, tmp has probability of around
50% to have its higher 16 bits 0.
hostnames
for a target domain. Along with the queries are fake reply/replies with
static
Transaction ID(s). Every query will generate another query from the DNS
server
with a random TXID. If one of the replies contains this specific TXID, the
cache
is poisoned. Because the replies are sent directly after the query, they
will
arrive at the DNS server much earlier than the legitimate reply from some
Name
<<Previous Next>>
|
