Date: Thu, 15 Nov 2007 01:04:53 GMT From: Robert Woolley <freebsd-pr0711@mlists.homeunix.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/118062: /dev/random can be sniffed by an unprivileged user Message-ID: <200711150104.lAF14rRf078830@www.freebsd.org> Resent-Message-ID: <200711150110.lAF1A13S081814@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 118062 >Category: kern >Synopsis: /dev/random can be sniffed by an unprivileged user >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 15 01:10:01 UTC 2007 >Closed-Date: >Last-Modified: >Originator: Robert Woolley >Release: 6.2 >Organization: >Environment: FreeBSD gumby.homeunix.com. 6.2-RELEASE-p8 FreeBSD 6.2-RELEASE-p8 #2: Mon Nov 12 20:52:59 GMT 2007 root@gumby.homeunix.com.:/usr/obj/data/FreeBSD-src/sys/MUSTARD i386 >Description: It's possible for an unprivileged user to make /dev/random replay part of its most recent output. (This applies to Yarrow, not the hardware version.) The first read must be 32 bytes or more, and the second 31 bytes or fewer. The worst case is when 32 bytes (256 bits) are followed by 31 bytes. It also appears to be possible, in theory, for an attacker to manipulate the state of the Yarrow implementation to maximize the number of replayed bytes, reducing 256 bits of entropy to 8bits. (it's actually easier to follow in the source) >How-To-Repeat: $ dd if=/dev/random bs=32 count=1 2> /dev/null | hexdump ; dd if=/dev/random bs=31 count=1 2> /dev/null | hexdump 0000000 0ba3 af33 40ee b94e 0142 26f7 6ba1 3eba 0000010 38f6 3314 de4d 58a2 8f2a c4c1 b400 47f7 0000020 0000000 6ba1 3eba 38f6 3314 de4d 58a2 8f2a c4c1 0000010 b400 47f7 f937 985c 7f77 a7ae 8640 007c Note that the sequence "6ba1 3eba 38f6 3314 de4d 58a2 8f2a c4c1 b400 47f7" appears in both outputs. This might have to be run a few times if something else is reading from /dev/random. >Fix: The problem occurs in sys/dev/random/yarrow.c:random_yarrow_read() This function handles requests based on the number of bytes requested. If less than 32 bytes, the random data is read out of a static buffer (genval[]) - keeping track of the remaining bytes in a variable called "cur". When cur is zero, the Yarrow cipher refills genval. When larger requests are made, the genval buffer is immediately overwritten by the Yarrow cipher and copied into the output buffer. The is repeated until the request is satisfied. The problem is that this block of code leaves "cur" unmodified. This may cause the next request to reuse part of genval that's already been written-out. cur should be set to the number of unused bytes (or just zeroed). See patch. Patch attached with submission follows: --- yarrow.c.orig Wed Nov 14 22:46:01 2007 +++ yarrow.c Wed Nov 14 22:48:54 2007 @@ -297,6 +297,7 @@ generator_gate(); random_state.outputblocks = 0; } + cur = (int)sizeof(random_state.counter) - (int)tomove; retval += (int)tomove; } } >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711150104.lAF14rRf078830>