oss-sec mailing list archives

Re: DNS vulnerability: other relevant software

From: Florian Weimer <fw () deneb enyo de>
Date: Sat, 12 Jul 2008 23:50:41 +0200

* Eugene Teo:

Actually, I'm not sure. I'm checking with my colleagues who may be more
familiar with the implementation of net_random/random32() routine.


Gosh, I must be missing something.  This generator appears to be linear
(but the reduction to the available port range is not).

The comment is pretty clear, too:

 *      A 32 bit pseudo-random number is generated using a fast
 *      algorithm suitable for simulation. This algorithm is NOT
 *      considered safe for cryptographic use.

I haven't written an exploit because I'm not sure how to bypass the
modulo operation.  The modulus is 28233 = 3 * 3 * 3137 by default, so
it's not obvious to me how to recover the internal status without 2**51
effort.

Current thread:

Re: DNS vulnerability: other relevant software, (continued)
- Re: DNS vulnerability: other relevant software The Fungi (Jul 09)
  - Re: DNS vulnerability: other relevant software Mark J Cox (Jul 09)
    - Re: DNS vulnerability: other relevant software Florian Weimer (Jul 09)
    - Re: DNS vulnerability: other relevant software Eugene Teo (Jul 09)
    - Re: DNS vulnerability: other relevant software Eugene Teo (Jul 09)
    - Re: DNS vulnerability: other relevant software Eugene Teo (Jul 10)
    - Re: DNS vulnerability: other relevant software Nathanael Hoyle (Jul 10)
    - Re: DNS vulnerability: other relevant software Bernhard R. Link (Jul 11)
    - Re: DNS vulnerability: other relevant software Nathanael Hoyle (Jul 11)
    - Re: DNS vulnerability: other relevant software Florian Weimer (Jul 13)
    - Re: DNS vulnerability: other relevant software Florian Weimer (Jul 12)
    - Re: DNS vulnerability: other relevant software Eugene Teo (Jul 09)
- Re: DNS vulnerability: other relevant software Robert Buchholz (Jul 09)
- Re: DNS vulnerability: other relevant software Thomas Biege (Jul 10)