[Bug 6296] chpasswd salt has security issues

bugzilla at busybox.net bugzilla at busybox.net
Sun Feb 9 14:45:11 UTC 2014


--- Comment #1 from Denys Vlasenko <vda.linux at googlemail.com> 2014-02-09 14:45:10 UTC ---
(In reply to comment #0)
> The chpasswd command gets the salt value from the stack.  That is, it's
> declared in chpasswd_main as:
> char salt[sizeof("$N$XXXXXXXX")];
> After this instruction, salt is never initialized (unless using md5sum
> mode)--at which point the first 3 characters are set to $1$.  The salt is then
> passed to pw_encrypt, which uses it.

> It seems like, on a lot of linux systems, we'd be far better off using a random
> salt from /dev/random or /dev/urandom rather than just directly off the stack. 
> It's likely possible to infer what the value of the salt is off the stack.

It is initialized by crypt_make_salt():

                if (!(opt & OPT_ENC)) {
                        char salt[sizeof("$N$XXXXXXXX")];

                        crypt_make_salt(salt, 1); <====
                        if (opt & OPT_MD5) {
                                salt[0] = '$';
                                salt[1] = '1';
                                salt[2] = '$';
                                crypt_make_salt(salt + 3, 4); <====
                        free_me = pass = pw_encrypt(pass, salt, 0);

which sets two first bytes to random chars from the

If OPT_MD5, then salt is set to "$1$rrrrrrrr" where r's are similarly
generated 8 random chars. (The string isn't NUL terminated, it's not a bug).

Am I missing something?

Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the busybox-cvs mailing list