Well, things have finally calmed down regarding the OpenSSL problems. Not that it’s necessarily bad to see that many posts and news. One can actually think it’s a good thing problems are addressed and discussed, but I was starting to get tired of reading nothing more than a bunch of complaints.
News flash: Shit happens!
I actually had a big text about the package maintainer, the severity of the problem, etc, etc, etc written, but it’s better to just be quiet, since I can’t do it any better.
Exploitation
After reading so much about it, I was intrigued on how super-easy-because-of-the-32,767-possible-outcomes to crack attack would work, and hdm (from Metaploit) answered them on a great paper:
http://metasploit.com/users/hdm/tools/debian-openssl/
The keys were generated and made available:
http://sugar.metasploit.com/debian_ssh_dsa_1024_x86.tar.bz2
http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
And a script to use them has been published to Milw0rm:
http://milw0rm.com/exploits/5622
After giving it a try on a unpatched virtual machine, I understood the real severity of the problem.
![[FSF Associate Member]](http://blog.goukihq.org/wp-content/getButton.png){kind=small}
2 Comments
I myself am amazed at the speed at which all of this was handled. I saw the blog posts, a ubuntu update, and a launhpad email all within 12 hours. Amazing.
Indeed Vadim. There will always be bugs; what makes Debian so good it the way things are handled. That’s what we have to appreciate, and not make stupid comments like the ones I read:
“I’m going back to Windoze!”
Post a Comment