[BusyBox 0000604]: passwd doesnt use salt with md5 passwords
bugs at busybox.net
bugs at busybox.net
Tue Jan 10 09:58:03 UTC 2006
A NOTE has been added to this issue.
======================================================================
http://busybox.net/bugs/view.php?id=604
======================================================================
Reported By: taviso
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 604
Category: Security
Reproducibility: always
Severity: minor
Priority: normal
Status: assigned
======================================================================
Date Submitted: 12-19-2005 02:30 PST
Last Modified: 01-10-2006 01:58 PST
======================================================================
Summary: passwd doesnt use salt with md5 passwords
Description:
md5 encrypted passwords are usually generated using
crypt("password", "$1$SALT");
where SALT is some random characters, however the busybox passwd command
seems to use
crypt("password", "$1$"); (ie, no salt).
======================================================================
----------------------------------------------------------------------
taviso - 12-19-05 05:43
----------------------------------------------------------------------
obviously not using a salt is a bad idea as rainbow tables have been
demonstrated as an effective attack aginst unsalted passwords.
The fix is easy enough, just construct a salt that concatenates "$1$" and
crypt_make_salt() (/loginutils/passwd.c)
----------------------------------------------------------------------
robang74 - 01-10-06 01:58
----------------------------------------------------------------------
This patch reduce size, fix the issue (standard 16bit and short SALT MD5
are both supported) and increase randomness about password generation and
i64c conversion.
Login/Password Management Utilities ---> all yes, for both two:
[roberto at wsraf busybox]$ size busybox ../busybox.13222/busybox
text data bss dec hex filename
260328 2404 31716 294448 47e30 busybox
260348 2408 31748 294504 47e68 ../busybox.13222/busybox
patch at least compile, it is not tested (I have not a bb test suite
including passwd&co, yet).
Issue History
Date Modified Username Field Change
======================================================================
12-19-05 02:30 taviso New Issue
12-19-05 02:30 taviso Status new => assigned
12-19-05 02:30 taviso Assigned To => BusyBox
12-19-05 05:43 taviso Note Added: 0000800
01-10-06 01:55 robang74 File Added: passwd_1.patch
01-10-06 01:55 robang74 Issue Monitored: robang74
01-10-06 01:58 robang74 Note Added: 0000911
======================================================================
More information about the busybox-cvs
mailing list