Comment #6 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

I suggest you replace the use of rand() and srand() with something proper...
From the rand/srand manual:
" The srand() function sets its argument as the seed for a new
sequence
of pseudo-random integers to be returned by rand(). These
sequences
are repeatable by calling srand() with the same seed value.

"

...
"Do not use this function in applications intended to be
portable when good randomness is needed. (Use random(3) instead.)
"



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #6 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

I suggest you replace the use of rand() and srand() with something proper...
From the rand/srand manual:
" The srand() function sets its argument as the seed for a new
sequence
of pseudo-random integers to be returned by rand(). These
sequences
are repeatable by calling srand() with the same seed value.

"

...
"Do not use this function in applications intended to be
portable when good randomness is needed. (Use random(3) instead.)
"



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #7 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

It turns out that your fix isn't a good fix.
With gcc hardening flags enabled - it probably is an "ok" fix - I wouldn't
recommend it...
However, without gcc hardening enabled the address of the buffer is
_always_ the same(for a given compilation).

Instead of the worst case being around 200 attempts, now 200,000 (worst
case) attempts are required.

Here is an updated version of the checker program source I posted above:

#include
#include
#include
#include
#include
#define
ALPHA_NUM "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
#define PID 27975
#define EXAMPLE_PASSWORD "4TBP3MIuRP3EanTz"
#define ADDR_OF_PASS 6309680

int main(void)
{
unsigned int i = 0;
unsigned int n = 0;

unsigned long long TIME_VAR_MAX = 1307098920000 + 200000;
unsigned long long x = 1307098920000;
char possible [17] = {0};
int counter = 0;

while (x < (TIME_VAR_MAX) )
{
srand(x * ADDR_OF_PASS);

for (i = 0; i < 16; i++)
{
n = rand()%(sizeof(ALPHA_NUM)-1);
possible[i] = ALPHA_NUM[n];
}
if (!strcmp(possible, EXAMPLE_PASSWORD) )
{
printf("took %d tries! %s\n", counter, possible);
return 0;
}
counter++;
x++;
}

return 0;
}



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #6 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

I suggest you replace the use of rand() and srand() with something proper...
From the rand/srand manual:
" The srand() function sets its argument as the seed for a new
sequence
of pseudo-random integers to be returned by rand(). These
sequences
are repeatable by calling srand() with the same seed value.

"

...
"Do not use this function in applications intended to be
portable when good randomness is needed. (Use random(3) instead.)
"



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #7 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

It turns out that your fix isn't a good fix.
With gcc hardening flags enabled - it probably is an "ok" fix - I wouldn't
recommend it...
However, without gcc hardening enabled the address of the buffer is
_always_ the same(for a given compilation).

Instead of the worst case being around 200 attempts, now 200,000 (worst
case) attempts are required.

Here is an updated version of the checker program source I posted above:

#include
#include
#include
#include
#include
#define
ALPHA_NUM "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
#define PID 27975
#define EXAMPLE_PASSWORD "4TBP3MIuRP3EanTz"
#define ADDR_OF_PASS 6309680

int main(void)
{
unsigned int i = 0;
unsigned int n = 0;

unsigned long long TIME_VAR_MAX = 1307098920000 + 200000;
unsigned long long x = 1307098920000;
char possible [17] = {0};
int counter = 0;

while (x < (TIME_VAR_MAX) )
{
srand(x * ADDR_OF_PASS);

for (i = 0; i < 16; i++)
{
n = rand()%(sizeof(ALPHA_NUM)-1);
possible[i] = ALPHA_NUM[n];
}
if (!strcmp(possible, EXAMPLE_PASSWORD) )
{
printf("took %d tries! %s\n", counter, possible);
return 0;
}
counter++;
x++;
}

return 0;
}



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)
Updates:
Status: Started

Comment #8 on issue 1212 by alobbs: weak temp admin password generation
http://code.google.com/p/cherokee/issues/detail?id=1212

(No comment was entered for this change.)

_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #6 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

I suggest you replace the use of rand() and srand() with something proper...
From the rand/srand manual:
" The srand() function sets its argument as the seed for a new
sequence
of pseudo-random integers to be returned by rand(). These
sequences
are repeatable by calling srand() with the same seed value.

"

...
"Do not use this function in applications intended to be
portable when good randomness is needed. (Use random(3) instead.)
"



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #7 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

It turns out that your fix isn't a good fix.
With gcc hardening flags enabled - it probably is an "ok" fix - I wouldn't
recommend it...
However, without gcc hardening enabled the address of the buffer is
_always_ the same(for a given compilation).

Instead of the worst case being around 200 attempts, now 200,000 (worst
case) attempts are required.

Here is an updated version of the checker program source I posted above:

#include
#include
#include
#include
#include
#define
ALPHA_NUM "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
#define PID 27975
#define EXAMPLE_PASSWORD "4TBP3MIuRP3EanTz"
#define ADDR_OF_PASS 6309680

int main(void)
{
unsigned int i = 0;
unsigned int n = 0;

unsigned long long TIME_VAR_MAX = 1307098920000 + 200000;
unsigned long long x = 1307098920000;
char possible [17] = {0};
int counter = 0;

while (x < (TIME_VAR_MAX) )
{
srand(x * ADDR_OF_PASS);

for (i = 0; i < 16; i++)
{
n = rand()%(sizeof(ALPHA_NUM)-1);
possible[i] = ALPHA_NUM[n];
}
if (!strcmp(possible, EXAMPLE_PASSWORD) )
{
printf("took %d tries! %s\n", counter, possible);
return 0;
}
counter++;
x++;
}

return 0;
}



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)
Updates:
Status: Started

Comment #8 on issue 1212 by alobbs: weak temp admin password generation
http://code.google.com/p/cherokee/issues/detail?id=1212

(No comment was entered for this change.)

_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #9 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

According to some dumb stats generated by siege, an attacker can try
roughly 5k attempts/second[0]. So within one minute - it may be possible
for an attacker to try all 200k (worst case) possibilities.


[0] -
ran with (siege http://127.0.0.1:9090 -v -r 1000 -c 5)
~/.siegerc looks like this:
username = admin
password = 4TBP3MIuRP3EanTz



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #6 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

I suggest you replace the use of rand() and srand() with something proper...
From the rand/srand manual:
" The srand() function sets its argument as the seed for a new
sequence
of pseudo-random integers to be returned by rand(). These
sequences
are repeatable by calling srand() with the same seed value.

"

...
"Do not use this function in applications intended to be
portable when good randomness is needed. (Use random(3) instead.)
"



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #7 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

It turns out that your fix isn't a good fix.
With gcc hardening flags enabled - it probably is an "ok" fix - I wouldn't
recommend it...
However, without gcc hardening enabled the address of the buffer is
_always_ the same(for a given compilation).

Instead of the worst case being around 200 attempts, now 200,000 (worst
case) attempts are required.

Here is an updated version of the checker program source I posted above:

#include
#include
#include
#include
#include
#define
ALPHA_NUM "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
#define PID 27975
#define EXAMPLE_PASSWORD "4TBP3MIuRP3EanTz"
#define ADDR_OF_PASS 6309680

int main(void)
{
unsigned int i = 0;
unsigned int n = 0;

unsigned long long TIME_VAR_MAX = 1307098920000 + 200000;
unsigned long long x = 1307098920000;
char possible [17] = {0};
int counter = 0;

while (x < (TIME_VAR_MAX) )
{
srand(x * ADDR_OF_PASS);

for (i = 0; i < 16; i++)
{
n = rand()%(sizeof(ALPHA_NUM)-1);
possible[i] = ALPHA_NUM[n];
}
if (!strcmp(possible, EXAMPLE_PASSWORD) )
{
printf("took %d tries! %s\n", counter, possible);
return 0;
}
counter++;
x++;
}

return 0;
}



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)
Updates:
Status: Started

Comment #8 on issue 1212 by alobbs: weak temp admin password generation
http://code.google.com/p/cherokee/issues/detail?id=1212

(No comment was entered for this change.)

_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #9 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

According to some dumb stats generated by siege, an attacker can try
roughly 5k attempts/second[0]. So within one minute - it may be possible
for an attacker to try all 200k (worst case) possibilities.


[0] -
ran with (siege http://127.0.0.1:9090 -v -r 1000 -c 5)
~/.siegerc looks like this:
username = admin
password = 4TBP3MIuRP3EanTz



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #10 on issue 1212 by db.pub.m...@gmail.com: weak temp admin
password generation
http://code.google.com/p/cherokee/issues/detail?id=1212


Here is a patch that I would be "happier" with (on *nix systems).
You will need to compile with -lbsd on linux :)


--- cherokee/main_admin.c.orig 2011-06-05 17:20:23.372005245 +1000
+++ cherokee/main_admin.c 2011-06-05 17:20:01.339998521 +1000
@@ -24,6 +24,7 @@

#include "common-internal.h"

+#include
#include
#include

@@ -114,12 +115,8 @@
{
cuint_t i;
cuint_t n;
-
- cherokee_bogotime_update();
- srand(cherokee_bogonow_msec * POINTER_TO_INT(buf) );
-
for (i=0; i - n = rand()%(sizeof(ALPHA_NUM)-1);
+ n = arc4random_uniform(sizeof(ALPHA_NUM)-1);
cherokee_buffer_add_char (buf, ALPHA_NUM[n]);
}


_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #6 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

I suggest you replace the use of rand() and srand() with something proper...
From the rand/srand manual:
" The srand() function sets its argument as the seed for a new
sequence
of pseudo-random integers to be returned by rand(). These
sequences
are repeatable by calling srand() with the same seed value.

"

...
"Do not use this function in applications intended to be
portable when good randomness is needed. (Use random(3) instead.)
"



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #7 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

It turns out that your fix isn't a good fix.
With gcc hardening flags enabled - it probably is an "ok" fix - I wouldn't
recommend it...
However, without gcc hardening enabled the address of the buffer is
_always_ the same(for a given compilation).

Instead of the worst case being around 200 attempts, now 200,000 (worst
case) attempts are required.

Here is an updated version of the checker program source I posted above:

#include
#include
#include
#include
#include
#define
ALPHA_NUM "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
#define PID 27975
#define EXAMPLE_PASSWORD "4TBP3MIuRP3EanTz"
#define ADDR_OF_PASS 6309680

int main(void)
{
unsigned int i = 0;
unsigned int n = 0;

unsigned long long TIME_VAR_MAX = 1307098920000 + 200000;
unsigned long long x = 1307098920000;
char possible [17] = {0};
int counter = 0;

while (x < (TIME_VAR_MAX) )
{
srand(x * ADDR_OF_PASS);

for (i = 0; i < 16; i++)
{
n = rand()%(sizeof(ALPHA_NUM)-1);
possible[i] = ALPHA_NUM[n];
}
if (!strcmp(possible, EXAMPLE_PASSWORD) )
{
printf("took %d tries! %s\n", counter, possible);
return 0;
}
counter++;
x++;
}

return 0;
}



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)
Updates:
Status: Started

Comment #8 on issue 1212 by alobbs: weak temp admin password generation
http://code.google.com/p/cherokee/issues/detail?id=1212

(No comment was entered for this change.)

_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #9 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

According to some dumb stats generated by siege, an attacker can try
roughly 5k attempts/second[0]. So within one minute - it may be possible
for an attacker to try all 200k (worst case) possibilities.


[0] -
ran with (siege http://127.0.0.1:9090 -v -r 1000 -c 5)
~/.siegerc looks like this:
username = admin
password = 4TBP3MIuRP3EanTz



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #10 on issue 1212 by db.pub.m...@gmail.com: weak temp admin
password generation
http://code.google.com/p/cherokee/issues/detail?id=1212


Here is a patch that I would be "happier" with (on *nix systems).
You will need to compile with -lbsd on linux :)


--- cherokee/main_admin.c.orig 2011-06-05 17:20:23.372005245 +1000
+++ cherokee/main_admin.c 2011-06-05 17:20:01.339998521 +1000
@@ -24,6 +24,7 @@

#include "common-internal.h"

+#include
#include
#include

@@ -114,12 +115,8 @@
{
cuint_t i;
cuint_t n;
-
- cherokee_bogotime_update();
- srand(cherokee_bogonow_msec * POINTER_TO_INT(buf) );
-
for (i=0; i - n = rand()%(sizeof(ALPHA_NUM)-1);
+ n = arc4random_uniform(sizeof(ALPHA_NUM)-1);
cherokee_buffer_add_char (buf, ALPHA_NUM[n]);
}


_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #11 on issue 1212 by pavel.l...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

Is somebody interesting in solving this issue? I want to close bug in
Fedora bugzilla (for Fedora and EPEL) so I'm curious if someone plan to
solve it.

_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #6 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

I suggest you replace the use of rand() and srand() with something proper...
From the rand/srand manual:
" The srand() function sets its argument as the seed for a new
sequence
of pseudo-random integers to be returned by rand(). These
sequences
are repeatable by calling srand() with the same seed value.

"

...
"Do not use this function in applications intended to be
portable when good randomness is needed. (Use random(3) instead.)
"



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #7 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

It turns out that your fix isn't a good fix.
With gcc hardening flags enabled - it probably is an "ok" fix - I wouldn't
recommend it...
However, without gcc hardening enabled the address of the buffer is
_always_ the same(for a given compilation).

Instead of the worst case being around 200 attempts, now 200,000 (worst
case) attempts are required.

Here is an updated version of the checker program source I posted above:

#include
#include
#include
#include
#include
#define
ALPHA_NUM "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
#define PID 27975
#define EXAMPLE_PASSWORD "4TBP3MIuRP3EanTz"
#define ADDR_OF_PASS 6309680

int main(void)
{
unsigned int i = 0;
unsigned int n = 0;

unsigned long long TIME_VAR_MAX = 1307098920000 + 200000;
unsigned long long x = 1307098920000;
char possible [17] = {0};
int counter = 0;

while (x < (TIME_VAR_MAX) )
{
srand(x * ADDR_OF_PASS);

for (i = 0; i < 16; i++)
{
n = rand()%(sizeof(ALPHA_NUM)-1);
possible[i] = ALPHA_NUM[n];
}
if (!strcmp(possible, EXAMPLE_PASSWORD) )
{
printf("took %d tries! %s\n", counter, possible);
return 0;
}
counter++;
x++;
}

return 0;
}



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)
Updates:
Status: Started

Comment #8 on issue 1212 by alobbs: weak temp admin password generation
http://code.google.com/p/cherokee/issues/detail?id=1212

(No comment was entered for this change.)

_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #9 on issue 1212 by db.pub.m...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

According to some dumb stats generated by siege, an attacker can try
roughly 5k attempts/second[0]. So within one minute - it may be possible
for an attacker to try all 200k (worst case) possibilities.


[0] -
ran with (siege http://127.0.0.1:9090 -v -r 1000 -c 5)
~/.siegerc looks like this:
username = admin
password = 4TBP3MIuRP3EanTz



_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #10 on issue 1212 by db.pub.m...@gmail.com: weak temp admin
password generation
http://code.google.com/p/cherokee/issues/detail?id=1212


Here is a patch that I would be "happier" with (on *nix systems).
You will need to compile with -lbsd on linux :)


--- cherokee/main_admin.c.orig 2011-06-05 17:20:23.372005245 +1000
+++ cherokee/main_admin.c 2011-06-05 17:20:01.339998521 +1000
@@ -24,6 +24,7 @@

#include "common-internal.h"

+#include
#include
#include

@@ -114,12 +115,8 @@
{
cuint_t i;
cuint_t n;
-
- cherokee_bogotime_update();
- srand(cherokee_bogonow_msec * POINTER_TO_INT(buf) );
-
for (i=0; i - n = rand()%(sizeof(ALPHA_NUM)-1);
+ n = arc4random_uniform(sizeof(ALPHA_NUM)-1);
cherokee_buffer_add_char (buf, ALPHA_NUM[n]);
}


_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)

Comment #11 on issue 1212 by pavel.l...@gmail.com: weak temp admin password
generation
http://code.google.com/p/cherokee/issues/detail?id=1212

Is somebody interesting in solving this issue? I want to close bug in
Fedora bugzilla (for Fedora and EPEL) so I'm curious if someone plan to
solve it.

_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)
Updates:
Status: Fixed

Comment #12 on issue 1212 by alobbs: weak temp admin password generation
http://code.google.com/p/cherokee/issues/detail?id=1212

This issue was fixed a while ago. I forgot the update the bug report.

_______________________________________________
Cherokee-dev mailing list
Cherokee-
http://lists.octality.com/listinfo/cherokee-dev
)