4. premise
â About Ruby OpenSSL wrapper (OpenSSL::
Random)
â OpenSSL PRNG must be initialized in the
parent before we fork the child processes
â Every child starts out with exactly the same
PRNG
â PID is the only thing process-specific that is
fed to the PRNG algorithm when requesting
random bytes
7. But...
â Debian guys commented MD_Update call
with UNINITIALISED variable
â We believe that they did the right thing ;)
8. non-Debian systems
â Vulnerability exists in all system (Debian and
non-Debian also)
â Exploitation possibility depends only from
end-point code (application, not OpenSSL)
â There are two different places for buf:
â Stack
â Heap
â Letâs try to hack it!
9. stack-based PoC (all OS)
https://github.com/ONsec-Lab/Rand-
attacks/blob/master/openssl-1.c
from different
calls to the same
==
from different
stack states to
the same!
11. other attacks
â i.e. PHP initialize RAND after fork
â But classic attacks way still available
â Keep-Alive -> rands on same PID
â Brute seed by rands
â Predict rand by seed + offset
â What about entropy of OpenSSL RAND?
â 128 bytes * 20 (GID*UID) * 32k (PID)
â Not so little :(