Bug 219187 - A truncated md5 password in /etc/shadow is still valid.
A truncated md5 password in /etc/shadow is still valid.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
4.4
All Linux
medium Severity low
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-12-11 14:51 EST by Chuck Berg
Modified: 2015-01-07 19:15 EST (History)
4 users (show)

See Also:
Fixed In Version: RHBA-2007-0300
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 13:24:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Proposed patch (614 bytes, patch)
2006-12-11 15:52 EST, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Chuck Berg 2006-12-11 14:51:50 EST
Truncated md5 passwords in /etc/shadow are still be considered valid. Only the
beginning is compared, so a significantly truncated password can cause a huge
number of passwords to be valid.

To test:
Set root's shadow line to this:
root:$1$U57L.DJM$h:13473:0:99999:7:::

Now try to login as root using su or ssh. At least the following passwords work:
0
8
43
54
Comment 1 Tomas Mraz 2006-12-11 15:18:12 EST
Truncating the MD5 passwords in /etc/shadow could happen only by accident
(broken script run by admin or so).

So I don't think it is too serious problem.
Comment 3 Josh Bressers 2006-12-11 15:43:04 EST
This bug should not be called a security flaw.

While it appears it could have a security context, this really shouldn't.  No
known good tools will cause this condition to happen, which means that an admin
must run a third party tool over the shadow file, and apparently one that
produces untrusted data.  If an admin has a process producing untrustworthy
output that will be copied into the shadow file, there are other serious
problems, not just this.  md5 is known to be flawed in many ways, this is simply
one of them.
Comment 4 Tomas Mraz 2006-12-11 15:52:22 EST
Created attachment 143326 [details]
Proposed patch

This is a proposed patch to fix the problem.
Comment 5 Chuck Berg 2006-12-11 16:37:42 EST
Bug 207387 gives a good example why a person might need to develop their own
tools to edit /etc/passwd and /etc/shadow, or edit manually.

As an actual security issue, an attacker who already has root can modify a
user's password so that the original password still works, but also some
additional ones.  If a lot of effort has been taken to lock a system down, an
attacker might find this to be the most viable method of preserving remote
access. Since pwck doesn't complain, it could easily be missed even though the
admin thinks he is checking for this kind of thing.
Comment 6 Carl Speare 2006-12-11 16:42:46 EST
"This bug should not be called a security flaw."

su and sshd don't care too much about truncated passwords, and accept a 
password potentially very different from the intended password. That isn't a 
security problem?

So while the source of the problem is exceedingly rare and controlled, the 
resulting hole is undetectable (pwck ***never*** complains) and wide enough to 
make a system insecure. (Unless having multiple passwords for root isn't a 
security problem.)
Comment 7 Josh Bressers 2006-12-11 16:52:57 EST
If you're using md5 passwords, root has multiple passwords.  It's the nature of
md5 passwords.  They're known to be weak against collision attacks.  If you're
worried about anything being able to accept a password which is different than
the intended one, don't use MD5 password hashes.

I can be convinced that this should be considered a security flaw, but these
current arguments are stretches.  This bug simply highlights the inherent
weakness of MD5 and why it should not be used.
Comment 8 Chuck Berg 2006-12-13 09:55:11 EST
If MD5 has inherent weaknesses that mean it should be never used, will we be
offered a more secure password hash?

Not that the choice of hash is in any way relevant to this bug. (except that the
comments surrounding it indicate that it was introduced due to the requirement
to support multiple hashes).
Comment 9 Tomas Mraz 2006-12-13 10:07:04 EST
The inherent weaknesses of MD5 are not critical in case of password hashes. The
problem with this bug is that truncating the MD5 password enlarges the weakness
by many orders of magnitude.

However that doesn't change anything on the evaluation of this problem - it is
not a security flaw because it doesn't give any advantage to an attacker on a
system which is not broken by admin action first.

Also an attacker who already has a root can do just anything on your system so
this is not a situation we can guard against.
Comment 11 RHEL Product and Program Management 2006-12-19 05:23:55 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 12 Jay Turner 2006-12-19 07:40:51 EST
QE ack for RHEL4.5.
Comment 16 Red Hat Bugzilla 2007-05-01 13:24:59 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0300.html

Note You need to log in before you can comment on or make changes to this bug.