Can't I send an iq:last to the server to find out how long it's been up? In which case, I as an attacker can get pretty close to guessing the seed...
-- Joe Hildebrand > -----Original Message----- > From: Matthias Wimmer [mailto:[EMAIL PROTECTED] > Sent: Saturday, October 11, 2003 5:11 PM > To: [EMAIL PROTECTED] > Subject: [JDEV] Still another patch ... (seed the rand() function) > > Hi! > > Sorry to flood this mailinglist this week end. ;-) This is > another patch for jadc2s. > > jadc2s used the rand() function to generate ids for the > digest authentication but never seeds the rand() function. > The result is that with every restart of jadc2s it generates > the same sequence of ids again. This is a very bad behavior > especially on servers with less load. > An attacker could takeover and account if he is able to sniff > connections and if he is able to crash jadc2s (or jadc2s is > restarted regularily). He can just sniff which id was sent to > the client and what the client sent back as response. > Afterwards he crashes jadc2s or waits for an other restart. > Then he just has to wait for the right moment where the > server will generate this key again (counting the logins), > connect to it and he will be successfully able to > authenticate as the other user. By changing the password he > has taken over the account. > > The fix is to just seed the rand() function at startup of > jadc2s with the current time that will be different for every > restart. (But using > rand() to generate the digest ids still isn't a very strong > implementation.) > > > Tot kijk > Matthias > > --- jadc2s.c 2003-10-10 11:05:45.000000000 +0200 > +++ jadc2s-srand.c 2003-10-12 00:53:41.000000000 +0200 > @@ -200,6 +200,9 @@ > return 1; > } > > + /* seed the rand() function */ > + srand(time(NULL)); > + > /* start logging */ > c2s->log = log_new("jadc2s"); > log_write(c2s->log, LOG_NOTICE, "starting up"); > > -- > For kibibytes see: > http://www.iec.ch/online_news/etech/arch_2003/etech_0503/focus.htm > _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mailman.jabber.org/listinfo/jdev
