User: Password:
Subscribe / Log in / New account

busybox: insecure password generation

Package(s):busybox CVE #(s):CVE-2006-1058
Created:May 5, 2006 Updated:May 2, 2007
Description: The BusyBox 1.1.1 passwd command does not use a proper salt when generating passwords. This would create an instance where a brute force attack could take very little time.
Red Hat RHSA-2007:0244-02 busybox 2007-05-01
Fedora FEDORA-2006-511 busybox 2006-05-04
Fedora FEDORA-2006-510 busybox 2006-05-04

(Log in to post comments)

busybox: insecure password generation

Posted May 11, 2006 22:32 UTC (Thu) by landley (subscriber, #6789) [Link]

This is not a "new vulnerability". Salting passwords is something busybox
never did (in its entire history) until now. Probably because the whole
point of the /etc/shadow file is to be readable only by root, so attackers
have to crack root in order to grab a copy of the file in the first place.

Salt's been added to svn and will be in the 1.1.3 release, but it's
questionable how worked up about it to get. If somebody's grabbed a copy
of your shadow file, salt just slows them down. (And not that much; a
modern laptop can grind through a 6 character md5 password, randomly
distributed among 100 or so typable chacters, in about a day.)

busybox: insecure password generation

Posted May 3, 2007 7:02 UTC (Thu) by nix (subscriber, #2304) [Link]

I suppose it's useful if you're using something like NIS where your entire
password file is visible to the world.

(Mind you if you're using NIS you probably don't care much about security
anyway, or you're hiding screaming in the corner hoping nothing bites

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds