Hi Joe! Joe Hildebrand schrieb am 2003-10-13 13:09:26: > Can't I send an iq:last to the server to find out how long it's been up? In > which case, I as an attacker can get pretty close to guessing the seed...
Yeah, but I don't think this will help you. The only problem is that
without the patch you can force the server to use the same challenge
again. Just by knowing the challenge I don't see how this will help you
(for a passive attack).
The problem I see with the unpatched jadc2s is that cou listen to a
connection and see what a client responds to a given challenge - force
the server to use the same challenge again (or wait for it) and you can
log in with the response you sniffed.
But as I said: you're right. The hole thing with rand() is not the best
sollution. Maybe it would be a good idea to use the RAND_*() functions of
openssl if compiled with SSL support.
Tot kijk
Matthias
--
For kibibytes see:
http://www.iec.ch/online_news/etech/arch_2003/etech_0503/focus.htm
signature.asc
Description: Digital signature
