4. premise
● About Ruby OpenSSL wrapper (OpenSSL::
Random)
● OpenSSL PRNG must be initialized in the
parent before we fork the child processes
● Every child starts out with exactly the same
PRNG
● PID is the only thing process-specific that is
fed to the PRNG algorithm when requesting
random bytes
7. But...
● Debian guys commented MD_Update call
with UNINITIALISED variable
● We believe that they did the right thing ;)
8. non-Debian systems
● Vulnerability exists in all system (Debian and
non-Debian also)
● Exploitation possibility depends only from
end-point code (application, not OpenSSL)
● There are two different places for buf:
○ Stack
○ Heap
● Let’s try to hack it!
9. stack-based PoC (all OS)
https://github.com/ONsec-Lab/Rand-
attacks/blob/master/openssl-1.c
from different
calls to the same
==
from different
stack states to
the same!
11. other attacks
● i.e. PHP initialize RAND after fork
● But classic attacks way still available
○ Keep-Alive -> rands on same PID
○ Brute seed by rands
○ Predict rand by seed + offset
● What about entropy of OpenSSL RAND?
○ 128 bytes * 20 (GID*UID) * 32k (PID)
○ Not so little :(