Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 18 Dec 2005 17:39:42 +0000
From: Tavis Ormandy <taviso@....lonestar.org>
To: john-users@...ts.openwall.com
Subject: saltless passwords

Hey, I've recently had to attempt recovery of passwords from a
system that uses busybox, a popular utility for embedded and space
constrained linux distributions, <http://www.busybox.net/>.

For some reason, possibly unintentionally, the `passwd` utility provided
by busybox does not use a salt when the md5 algorithm is selected (the
default). This results in encrypted password fields in the format:

$1$$I2o9Z7NcvQAKp7wyCTlia0

Which crypt() will happily generate at least on glibc, uclibc and bsd
libc, however john will not accept it.

$ echo "root" | openssl passwd -stdin -1 -salt ""
$1$$oCLuEVgI1iAqOA8pwkzAg1
$ cat passwd.test
root:$1$$oCLuEVgI1iAqOA8pwkzAg1:::::::
$ john passwd.test
Loaded 0 passwords, exiting...

this check from valid() in MD5_fmt.c seems to be responsible:

if (!*pos || pos < &ciphertext[4] || pos > &ciphertext[11]) return 0;

removing the `pos < &ciphertext[4]` test is enough to allow john to
process the passwd file:

$ john passwd.test 
Loaded 1 password (FreeBSD MD5 [32/32])
root             (root)
guesses: 1  time: 0:00:00:00 100% (1)  c/s: 1.00  trying: root

Unless there's a good reason for this check, as at least one passwd
implementation in use doesnt seem to generate a salt, maybe this check
should be removed?

Thanks for any advice, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ