Bug 9507
Summary: | mkpasswd script insecure | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | dharris | ||||
Component: | tcltk | Assignee: | Jens Petersen <petersen> | ||||
Status: | CLOSED RAWHIDE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 7.1 | CC: | mharris | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2001-06-15 03:28:15 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
dharris
2000-02-17 00:30:02 UTC
assigned to nalin This script is part of the "expect" package. There is no bugzilla component for it. An "rpm -qi expect" reveals it is from the tcltk package so I am reassigning it there. A report on bugtraq just surfaced about this, claiming to have reported this a long time ago. If we care about security at all I think we should either remove the script entirely, or fix it to be truely random. Personally I'd remove it as such scripts are never secure. I have just confirmed that this script is totally garbage. I ran it all night, and out of 869570 generated passwords, only 32167 passwords are unique. Further generation of passwords will only generate duplicate passwords. Anyone knowing that a system is using this script to generate passwords can easily generate the 32167 passwords in a few hours and brute force attack a machine trivially both locally and remotely. Even if a potential intruder does not know if mkpasswd is being used, they could easily attempt a brute force attack anyways, and if it is being used, they are likely to compromise a user account. ISP's and other organizations that use such password generation are especially vulnerable. I ran mkpasswd in a loop in the previous message. I stored all generated passwords in a file, sorted it removing duplicates, which I am attaching to the bug report. This is just to illustrate how trivial one could do the same. Created attachment 15333 [details]
A file containing all passwords the insecure mkpasswd script will generate.
This problem is still present in RHL 7.1 - changing release number. changed the expect mkpasswd script so use linux device /dev/urandom (non-blocking /dev/random) I just tested RHL 8.0 mkpasswd and it generated passwords for 2.5 hours in a forkbomb. ;o) It was hard to get out of the accidental forkbomb (8 of them actually) but I eventually did. ;o) Results: 418260 passwords generated, and 418260 were unique In other words, no password was ever duplicated in over 418260 attempts. I'd have to leave this going all night long to get better testing, but I have a feeling it is much more secure now. |