Re: Jetty Session ID Prediction

To: NGSSoftware Insight Security Research <nisr@xxxxxxxxxxxxxxx>
Subject: Re: Jetty Session ID Prediction
From: Michal Zalewski <lcamtuf@xxxxxxxxxxxx>
Date: Mon, 5 Feb 2007 20:42:14 +0100 (CET)
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <45C732AC.7060607@xxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <45C732AC.7060607@xxxxxxxxxxxxxxx>

On Mon, 5 Feb 2007, NGSSoftware Insight Security Research wrote:

> Jetty generates a 64-bit session id by generating two 32-bit numbers in
> this way, so we end up with an encoded 64-bit integer. By decoding the
> integer and splitting it into its two component 32-bit integers, we can
> easily brute-force the generator's internal state.

Why on earth would you want to brute-force it?

http://www.springerlink.com/content/9jkp3179mj6fwh6m/s
http://dsns.csie.nctu.edu.tw/research/crypto/HTML/PDF/C89/138.PDF

Cheers,
/mz

Follow-Ups:
- Re: Jetty Session ID Prediction
  - From: Amit Klein

References:
- Jetty Session ID Prediction
  - From: NGSSoftware Insight Security Research

Prev by Date: Sql injection bugs in Virtuemart and Letterman
Next by Date: Sql injection bugs in Joomla and Mambo
Previous by thread: Re: Jetty Session ID Prediction
Next by thread: Re: Jetty Session ID Prediction
Index(es):
- Date
- Thread