OpenSSL rands (fork-safe) By @ONsec_Lab Sep 15, 2013
Jan 15, 2015
OpenSSL rands (fork-safe)
By @ONsec_Lab
Sep 15, 2013
@ONsec_lab
● Security auditors● Since 2009 year● Web, sex and rock’
n’roll
http://lab.onsec.ru
/whoami
premisehttp://emboss.github.io/blog/2013/08/21/openssl-prng-is-not-really-fork-safe/
OpenSSL PRNG Is Not (Really) Fork-safe Aug 21st, 2013
Martin Boblet used Eric Wong’s issues
premise
● About Ruby OpenSSL wrapper (OpenSSL::Random)
● OpenSSL PRNG must be initialized in the parent before we fork the child processes
● Every child starts out with exactly the same PRNG
● PID is the only thing process-specific that is fed to the PRNG algorithm when requesting random bytes
premise
Debian!
But...
● Debian guys commented MD_Update call with UNINITIALISED variable
● We believe that they did the right thing ;)
non-Debian systems
● Vulnerability exists in all system (Debian and non-Debian also)
● Exploitation possibility depends only from end-point code (application, not OpenSSL)
● There are two different places for buf:○ Stack○ Heap
● Let’s try to hack it!
stack-based PoC (all OS)https://github.com/ONsec-Lab/Rand-attacks/blob/master/openssl-1.c
from different calls to the same
==from different stack states to
the same!
heap-based PoC (all OS)https://github.com/ONsec-Lab/Rand-attacks/blob/master/openssl-2.c
malloc allocates
nulled memory
page
other attacks
● i.e. PHP initialize RAND after fork● But classic attacks way still available○ Keep-Alive -> rands on same PID○ Brute seed by rands○ Predict rand by seed + offset
● What about entropy of OpenSSL RAND?○ 128 bytes * 20 (GID*UID) * 32k (PID)○ Not so little :(
just recommend!http://lwn.net/Articles/281918/ [2008]
http://research.swtch.com/openssl [2008]http://mjos.fi/doc/secadv_prng.txt [2001]
Do not be afraid names and brands, such as
OpenSSL
OpenSSL rands (fork-safe)
The end.follow us:
http://lab.onsec.ru@ONsec_lab twitter