>I think the problem is not the halfMD4Transform. The problem could be caused by the
> fact that the random part of secret remains zero.
>Could you please check if the newest 2.2.13pre12 kernel from Alan is vulnerable?
>This bug was found a few days ago.
>
>The main change is :
>--- linux.vanilla/drivers/char/random.c Thu Dec 31 20:03:49 1998
>+++ linux.13p12/drivers/char/random.c Sun Sep 19 15:00:34 1999
>@@ -1698,7 +1698,7 @@
> if (!rekey_time || (tv.tv_sec - rekey_time) > REKEY_INTERVAL) {
> rekey_time = tv.tv_sec;
> /* First three words are overwritten below. */
>- get_random_bytes(&secret+3, sizeof(secret)-12);
>+ get_random_bytes(&secret[3], sizeof(secret)-12);
> count = (tv.tv_sec/REKEY_INTERVAL) << HASH_BITS;
> }
>
No.
I've tested this. It doesn't matter whether you do &secret+3 or
&secret[3]. Do you mean the compiler would treat first one as
integer-add, while second is pointer one, so result is += 3*sizeof(int) ?
I've made the changes you requested (and hopefully, i havent done sth. wrong :)
and here is the tcpdump-log:
13:36:22.735666 lucifer.c-skills.de.940 > liane.c-skills.de.login: S 1968223935:1968223935(0) win 0
13:36:22.735947 liane.c-skills.de.login > lucifer.c-skills.de.940: S 3537019127:3537019127(0) ack 1968223936 win 32696 <mss 536> (DF)
13:36:22.737305 lucifer.c-skills.de.940 > liane.c-skills.de.login: R 1968223936:1968223936(0) win 0
13:36:22.737694 alice.940 > liane.c-skills.de.login: S 1968223935:1968223935(0) win 0
13:36:22.737756 liane.c-skills.de.login > alice.940: S 3537021138:3537021138(0) ack 1968223936 win 32696 <mss 536> (DF)
(... ACK-'flood' begins here ...)
13:36:29.740695 alice.940 > liane.c-skills.de.login: . 1968223936:1968223937(1) win 0
13:36:29.748168 liane.c-skills.de.login > alice.940: . ack 1968223937 win 32696 (DF) [tos 0x10]
13:36:30.745296 alice.940 > liane.c-skills.de.login: . 1968223937:1968223945(8) win 0
13:36:30.748153 liane.c-skills.de.login > alice.940: . ack 1968223945 win 32696 (DF) [tos 0x10]
..
As you see, the spoof was successfull.
If my calculater is OK, then the diff is 2011 which is still exploitable,
and i still was able to spoof rlogind here. (lucifer spoofs to be alice, liane
is running rlogind). The problem lies really in the MD4-algo!?
regards,
Stealth
P.S.: The advisory was already posted to BUGTRAQ, but they didn't answered yet. :-(
Should i resent it?
: ---- main(){fork();main();} ----
: Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
: Stealth <-> http://www.kalug.lug.net/stealth
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/