busybox: insecure password generation [LWN.net]

Package(s):

busybox

CVE #(s):

CVE-2006-1058

Created:

May 5, 2006

Updated:

May 2, 2007

Description:

The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.

Alerts:

Red Hat	RHSA-2007:0244-02	2007-05-01
Fedora	FEDORA-2006-511	2006-05-04
Fedora	FEDORA-2006-510	2006-05-04

(Log in to post comments)

busybox: insecure password generation

Posted May 11, 2006 22:32 UTC (Thu) by landley (guest, #6789) [Link]

This is not a "new vulnerability". Salting passwords is something busybox
never did (in its entire history) until now. Probably because the whole
point of the /etc/shadow file is to be readable only by root, so attackers
have to crack root in order to grab a copy of the file in the first place.

Salt's been added to svn and will be in the 1.1.3 release, but it's
questionable how worked up about it to get. If somebody's grabbed a copy
of your shadow file, salt just slows them down. (And not that much; a
modern laptop can grind through a 6 character md5 password, randomly
distributed among 100 or so typable chacters, in about a day.)

busybox: insecure password generation

Posted May 3, 2007 7:02 UTC (Thu) by nix (subscriber, #2304) [Link]

I suppose it's useful if you're using something like NIS where your entire
password file is visible to the world.

(Mind you if you're using NIS you probably don't care much about security
anyway, or you're hiding screaming in the corner hoping nothing bites
you...)