Bugtraq: Re: Jetty Session ID Prediction

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Jetty Session ID Prediction

From: Amit Klein <aksecurity () gmail com>
Date: Tue, 06 Feb 2007 07:04:59 +0200

Michal Zalewski wrote:

On Mon, 5 Feb 2007, NGSSoftware Insight Security Research wrote:

Jetty generates a 64-bit session id by generating two 32-bit numbers in
this way, so we end up with an encoded 64-bit integer. By decoding the
integer and splitting it into its two component 32-bit integers, we can
easily brute-force the generator's internal state.


Why on earth would you want to brute-force it?

http://www.springerlink.com/content/9jkp3179mj6fwh6m/s
http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C89/138.PDF

I don't think that the method described in the paper you referencedabove is applicable as-is, because the method requires that the state ofthe PRNG is known (the coefficients aren't), while in our situation, thecoefficients are known, but the state isn't known in fullness (only 32bits out of the 48 are known).


-Amit

By Date By Thread

Current thread:

Jetty Session ID Prediction NGSSoftware Insight Security Research (Feb 05)
- Re: Jetty Session ID Prediction Amit Klein (Feb 05)
- Re: Jetty Session ID Prediction Michal Zalewski (Feb 05)
  - Re: Jetty Session ID Prediction Amit Klein (Feb 06)
    - Re: Jetty Session ID Prediction Michal Zalewski (Feb 06)
- <Possible follow-ups>
- Re: Jetty Session ID Prediction Chris Anley (Feb 06)
  - Re: Jetty Session ID Prediction Amit Klein (Feb 06)
    - Re: Jetty Session ID Prediction Chris Anley (Feb 07)
  - Re: Jetty Session ID Prediction Michal Zalewski (Feb 06)