Yea, I know…
I’ve been bad about updating. Things have been busy but hopefully I can work up something cool this coming week.
I had thought about detailing the Debian OpenSSL problems that a lot of us have been reading about but in case you missed it, H.D. Moore already did an incredible job on it.
On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing. The bug in question was caused by the removal of the following line of code from md_rand.c
MD_Update(&m,buf,j);
[ .. ]
MD_Update(&m,buf,j); /* purify complains */These lines were removed because they caused the Valgrind and Purify tools to produce warnings about the use of uninitialized data in any code that was linked to OpenSSL. You can see one such report to the OpenSSL team here. Removing this code has the side effect of crippling the seeding process for the OpenSSL PRNG. Instead of mixing in random data for the initial seed, the only “random” value that was used was the current process ID. On the Linux platform, the default maximum process ID is 32,768, resulting in a very small number of seed values being used for all PRNG operations.
To view his entry and input on the topic, click here.
In the mean time, play with w3af. It’s fun for the whole family!
Leave a Reply