Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Password Security :: mkpasswd.htm

Redhat mkpasswd creates easily brutable passwords



    RedHat 6.2, 7.0


    'Shez'  found  following.   The  mkpasswd  password generator that
    ships in the ``expect'' package of (at least RedHat 6.2) generates
    only  a  relatively  small  number  (2^15 for the default password
    length) of passwords.   Presumably this is  a result of  trying to
    apply  too  many  rules  of  what  is  a  ``good'' password to the
    generation process.

    Simple test:

        while [ 1 ] ; do mkpasswd >> /tmp/shez/passwords ; done
        sleep 16000 # this is long enough to demonstrate enough on my machine
        wc -l /tmp/shez/passwords
        sort -u /tmp/shez/passwords | wc -l

    This was reported this to redhat last year some time.

    Same goes for RedHat 7.0

        wc -l /tmp/passwords
        sort -u /tmp/passwords | wc -l

    From a quick read of  the program code, mkpasswd seeds  its random
    number generator from the process id, which means that the  number
    of different passwords  is controlled by  PID_MAX (which seems  to
    be 0x8000 on current linux systems).

    Due to a fault in  expect (the interpreter that runs  the mkpasswd
    script) it  is trivially  easy to  cause arbitrary  commands to be
    executed by someone else.  (under RH7.0 anyway)

    The search path for libs for it includes /var/tmp/.

    Check out

    for details, and

    for an exploit.   (Although the 1st  is marked as  a duplicate  of
    the  2nd,  as  one  of  the  notes  mentions they cover completely
    different areas.  Also note  that the severity ratings of  both of
    them are blank?)


    Fix is kinda available.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH