Re: Issues regarding ruby-rack/CVE-2019-16782
- To: Ola Lundqvist <ola@inguza.com>
- Cc: Ola Lundqvist <ola@inguza.com>, Utkarsh Gupta <guptautkarsh2102@gmail.com>, Debian Security Team <team@security.debian.org>, Debian LTS <debian-lts@lists.debian.org>
- Subject: Re: Issues regarding ruby-rack/CVE-2019-16782
- From: Brian May <bam@debian.org>
- Date: Tue, 10 Mar 2020 17:17:58 +1100
- Message-id: <[🔎] 875zfcybqh.fsf@silverfish.pri>
- In-reply-to: <CABY6=0=ZO1mtPDH3cL1h+gT0LwR48OfkxuwSLW3A1MnjVer8bA@mail.gmail.com>
- References: <5cfc2ed4-5b07-1b2c-5997-4b104e281491@gmail.com> <87wo8vj6nc.fsf@silverfish.pri> <CABY6=0mXd6jV1Dpb-X=CUZOpakC1CekGNOvOQK+MYy4ZjZtoUw@mail.gmail.com> <87r1z1k3ux.fsf@silverfish.pri> <CABY6=0kovrOPLyRgKOUp-0McC=VpBgawqDMBosjL81qq2on-EA@mail.gmail.com> <87o8u4johh.fsf@silverfish.pri> <CABY6=0nTzFzcHfcJkCOafp+HAZ0wiVMKgHQzJS1OzEu0iY-a_g@mail.gmail.com> <87lfp5kbjv.fsf@silverfish.pri> <CABY6=0krVCyAwf=M0njTNbCW_Lj5JeeNK1Aksnj8VZJ52_GJjA@mail.gmail.com> <87d0acxorm.fsf@silverfish.pri> <CABY6=0=ZO1mtPDH3cL1h+gT0LwR48OfkxuwSLW3A1MnjVer8bA@mail.gmail.com>
Ola Lundqvist <ola@inguza.com> writes:
> Precisely. This is why I was asking about the length of the session id
> used. With the length we can estimate how many times an attacker my try to
> find all possible values.
> If this is small enough (and the attacker is close enough) it can be
> exploited. But if the session key is really large, then there is no way
> that this can be done in practice even with ears of tries.
If I understand this code correctly, by reading it.
https://github.com/rack/rack/blob/18f708b5b691f0219be35e453dbb7ef8397060c9/lib/rack/session/abstract/id.rb
The default size of a sid is intended 128 bits or 32 hex digits long.
However, this value is created by SecureRandom.hex() - see
https://ruby-doc.org/stdlib-2.5.1/libdoc/securerandom/rdoc/SecureRandom.html,
which actually takes a parameter with number of bytes, not number of
digits. So when we pass this function 32, we actually get 32 bytes (=256
bits), or 64 digits.
irb(main):007:0> p SecureRandom.hex(1)
"82"
=> "82"
irb(main):006:0> p SecureRandom.hex(2)
"5fad"
=> "5fad"
--
Brian May <bam@debian.org>
Reply to: