[BusyBox 0000604]: passwd doesnt use salt with md5 passwords

bugs at busybox.net bugs at busybox.net
Fri Apr 21 00:45:56 UTC 2006


A NOTE has been added to this issue. 
====================================================================== 
http://busybox.net/bugs/view.php?id=604 
====================================================================== 
Reported By:                taviso
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   604
Category:                   Security
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             12-19-2005 02:30 PST
Last Modified:              04-20-2006 17:45 PDT
====================================================================== 
Summary:                    passwd doesnt use salt with md5 passwords
Description: 
md5 encrypted passwords are usually generated using

crypt("password", "$1$SALT");

where SALT is some random characters, however the busybox passwd command
seems to use

crypt("password", "$1$"); (ie, no salt).

====================================================================== 

---------------------------------------------------------------------- 
 taviso - 12-19-05 05:43  
---------------------------------------------------------------------- 
obviously not using a salt is a bad idea as rainbow tables have been
demonstrated as an effective attack aginst unsalted passwords.

The fix is easy enough, just construct a salt that concatenates "$1$" and
crypt_make_salt() (/loginutils/passwd.c) 

---------------------------------------------------------------------- 
 robang74 - 01-10-06 01:59  
---------------------------------------------------------------------- 
This patch reduce size, fix the issue (standard 16bit and short SALT MD5
are both supported) and increase randomness about password generation and
i64c conversion. 

 Login/Password Management Utilities  --->    all yes, for both two:

[roberto at wsraf busybox]$ size busybox ../busybox.13222/busybox
   text    data     bss     dec     hex filename
 260328    2404   31716  294448   47e30 busybox
 260348    2408   31748  294504   47e68 ../busybox.13222/busybox

 patch at least compile, it is not tested (I have not a bb test suite
including passwd&co, yet).

 Information about MD5, SALT and password generation was found here:

 http://www.cafesoft.com/CSDigest/createDigest.do
 http://www.itl.nist.gov/fipspubs/fip46-2.htm
 http://perfec.to/gensalt

 

---------------------------------------------------------------------- 
 taviso - 03-29-06 14:25  
---------------------------------------------------------------------- 
this is CVE-2006-1058, please quote this reference in changelogs etc.

I'm attaching a minimal patch that's tested and works here. 

---------------------------------------------------------------------- 
 solar - 04-20-06 17:45  
---------------------------------------------------------------------- 
Fixed in revision 14930. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
12-19-05 02:30  taviso         New Issue                                    
12-19-05 02:30  taviso         Status                   new => assigned     
12-19-05 02:30  taviso         Assigned To               => BusyBox         
12-19-05 05:43  taviso         Note Added: 0000800                          
01-10-06 01:55  robang74       File Added: passwd_1.patch                    
01-10-06 01:55  robang74       Issue Monitored: robang74                    
01-10-06 01:58  robang74       Note Added: 0000911                          
01-10-06 01:59  robang74       Note Edited: 0000911                         
01-17-06 01:25  mdeschamps     Issue Monitored: mdeschamps                    
03-29-06 14:25  taviso         Note Added: 0001205                          
03-29-06 14:25  taviso         File Added: passwd.diff                      
04-20-06 17:45  solar          Note Added: 0001310                          
======================================================================




More information about the busybox-cvs mailing list