antirezINVECE.ORG

• Next message: Tom Christiansen: "Re: Perl's alleged tempfile vulnerabilities"
• Previous message: flynngnJMU.EDU: "Re: 'cross site scripting' defenses"
• Next in thread: Ian Turner: "Re: Tempfile vulnerabilities"
• Maybe reply: antirez: "Re: Tempfile vulnerabilities"
• Reply: Ian Turner: "Re: Tempfile vulnerabilities"
• Reply: Peter Berendi: "Re: Tempfile vulnerabilities"
• Reply: Marc Lehmann: "Re: Tempfile vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Feb 02, 2000 at 02:36:20PM -0700, Theo de Raadt wrote:
> The terrible /tmp race handling aside...
>
> I suppose then that anyone who attacks a machine which relies on
> /dev/random -- a world readable device -- should do the following:
>
> cat /dev/random > /dev/null &
>
> Crypto software which uses those devices should be doing some kind of
> checking to make sure that they are getting at least good entropy. I
[snip]

Sure but there is another problem, while evil user exec 'cat /dev/random >
 /dev/null &' maybe that the following results in an infinite loop:

while(there_are_enougt_entropy() == 0)
        sleep(1);
/* race -- what if the evil user starts to deplate the entropy pool here? */
get_entropy_from_randomdev();

Can be so easy to DoS cryptographic software?

Of course all insecure cgi scripts or daemons may be used to pool from
/dev/random remotely. An example? the old TERM="../../../bla" problem.

antirez

• Next message: Tom Christiansen: "Re: Perl's alleged tempfile vulnerabilities"
• Previous message: flynngnJMU.EDU: "Re: 'cross site scripting' defenses"
• Next in thread: Ian Turner: "Re: Tempfile vulnerabilities"
• Maybe reply: antirez: "Re: Tempfile vulnerabilities"
• Reply: Ian Turner: "Re: Tempfile vulnerabilities"
• Reply: Peter Berendi: "Re: Tempfile vulnerabilities"
• Reply: Marc Lehmann: "Re: Tempfile vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]