BusyBox Bug and Patch Tracking
BusyBox
Main | My View | View Issues | Change Log | Docs
  

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0000604 [BusyBox] Security minor always 12-19-05 02:30 06-11-06 10:26
Reporter taviso View Status public  
Assigned To BusyBox
Priority normal Resolution fixed  
Status closed   Product Version
Summary 0000604: passwd doesnt use salt with md5 passwords
Description md5 encrypted passwords are usually generated using

crypt("password", "$1$SALT");

where SALT is some random characters, however the busybox passwd command seems to use

crypt("password", "$1$"); (ie, no salt).
Additional Information
Attached Files  passwd_1.patch [^] (2,638 bytes) 01-10-06 01:55
 passwd.diff [^] (806 bytes) 03-29-06 14:25

- Relationships

- Notes
(0000800)
taviso
12-19-05 05:43

 obviously not using a salt is a bad idea as rainbow tables have been demonstrated as an effective attack aginst unsalted passwords.

The fix is easy enough, just construct a salt that concatenates "$1$" and crypt_make_salt() (/loginutils/passwd.c)
 
(0000911)
robang74
01-10-06 01:58
edited on: 01-10-06 01:59

 This patch reduce size, fix the issue (standard 16bit and short SALT MD5 are both supported) and increase randomness about password generation and i64c conversion.

 Login/Password Management Utilities ---> all yes, for both two:

[roberto@wsraf busybox]$ size busybox ../busybox.13222/busybox
   text data bss dec hex filename
 260328 2404 31716 294448 47e30 busybox
 260348 2408 31748 294504 47e68 ../busybox.13222/busybox

 patch at least compile, it is not tested (I have not a bb test suite including passwd&co, yet).

 Information about MD5, SALT and password generation was found here:

 http://www.cafesoft.com/CSDigest/createDigest.do [^]
 http://www.itl.nist.gov/fipspubs/fip46-2.htm [^]
 http://perfec.to/gensalt [^]
 
(0001205)
taviso
03-29-06 14:25

 this is CVE-2006-1058, please quote this reference in changelogs etc.

I'm attaching a minimal patch that's tested and works here.
 
(0001310)
solar
04-20-06 17:45

 Fixed in revision 14930.
 
(0001311)
solar
04-21-06 01:10

 closing bug for now with the patch from taviso applied.
Rob Landley has a planned rewrite for passwd handling which I expect
we will see in the near future.
 
(0001411)
bernhardf
06-11-06 10:26

 reopen to be able to close it.
Folks, please "close" bugs and not set their status to "fixed". If you do the latter, then the bug will still show up as to be acted upon (will show up in the overview page).

TIA
 

- Issue History
Date Modified Username Field Change
12-19-05 02:30 taviso New Issue
12-19-05 02:30 taviso Status new => assigned
12-19-05 02:30 taviso Assigned To  => BusyBox
12-19-05 05:43 taviso Note Added: 0000800
01-10-06 01:55 robang74 File Added: passwd_1.patch
01-10-06 01:55 robang74 Issue Monitored: robang74
01-10-06 01:58 robang74 Note Added: 0000911
01-10-06 01:59 robang74 Note Edited: 0000911
01-17-06 01:25 mdeschamps Issue Monitored: mdeschamps
03-29-06 14:25 taviso Note Added: 0001205
03-29-06 14:25 taviso File Added: passwd.diff
04-20-06 17:45 solar Note Added: 0001310
04-21-06 01:10 solar Status assigned => resolved
04-21-06 01:10 solar Fixed in Version  => 1.2.x
04-21-06 01:10 solar Resolution open => fixed
04-21-06 01:10 solar Note Added: 0001311
06-11-06 10:26 bernhardf Status resolved => feedback
06-11-06 10:26 bernhardf Resolution fixed => reopened
06-11-06 10:26 bernhardf Note Added: 0001411
06-11-06 10:26 bernhardf Status feedback => closed
06-11-06 10:26 bernhardf Resolution reopened => fixed

Copyright © 2000 - 2006 Mantis Group
Powered by Mantis Bugtracker