[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Leveraging pam_env to steal DSA keys

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Leveraging pam_env to steal DSA keys
From: Peter van Dijk <peter@xxxxxxxx>
Date: Mon, 30 May 2011 20:30:38 +0200

Hello,

regarding http://www.ubuntu.com/usn/usn-1140-1/ posted today (originally 
documented as http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3435), 
what
the notices do not mention is that this attack, under certain circumstances, 
can lift enough key material from a private DSA key to reconstruct the whole 
key in feasible time.

More information in my article at 
http://7bits.nl/projects/pamenv-dsakeys/pamenv-dsakeys.html
Related blogpost at 
http://7bits.nl/blog/2011/05/30/from-symlinks-to-private-keys

Comments or questions, please post a comment at the blog post or mail me 
privately.

Kind regards,
Peter van Dijk
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Leveraging pam_env to steal DSA keys
  - From: paul . szabo

Prev by Date: Re: [Full-disclosure] SQL injection on the UN website
Next by Date: [Full-disclosure] Allied Telesis divulges secret backdoor
Previous by thread: [Full-disclosure] CSRF and XSS vulnerabilities in ADSL modem Callisto 821+
Next by thread: Re: [Full-disclosure] Leveraging pam_env to steal DSA keys
Index(es):
- Date
- Thread