[4324] in bugtraq
Re: SNI-12: BIND Vulnerabilities and Solutions
daemon@ATHENA.MIT.EDU (David Wagner)
Wed Apr 23 16:40:56 1997
Date: Wed, 23 Apr 1997 00:52:49 -0700
Reply-To: David Wagner <daw@CS.BERKELEY.EDU>
From: David Wagner <daw@CS.BERKELEY.EDU>
X-To: bugtraq@crimelab.com
To: BUGTRAQ@NETSPACE.ORG
In article <199704230609.AAA19514@cvs.openbsd.org>,
Theo de Raadt <deraadt@CVS.OPENBSD.ORG> wrote:
> > It attempts to make the query ID unpredictable, but fails -- the "random"
> > numbers it generates are still predictable (after a trivial 2^16 offline
> > trials).
>
> Did you include all the details included in res_random.c such as the
> code which causes the entire system is reset with whole new seeds
> after a fixed period of time (300 seconds is it)? You can predict a
> sequence and feed it the next few numbers before the generator reseeds
> itself?
Sure. Any real attack would be automated. 300 seconds is an eternity,
in computer time. The 2^16 trials for prediction is easily doable in a
fraction of a second.
> > And the seeding is terrible -- two years ago Netscape used
> > timeofday and pid to seed their PRNG, too, and look what happened to them.
>
> Hey, I make no apologies for operating systems that ship without a
> source of strong(ish) random numbers in their libc!
If Netscape had used that excuse, they'd have been crucified.
Let's not get into the blame game. My concern is that the patch, as
provided, won't fix the predictable-query-ID hole on most systems, and
folks need to know this.
