Vulnerability

    mkpasswd

Affected

    RedHat 6.2, 7.0

Description

    'Shez'  found  following.   The  mkpasswd  password generator that
    ships in the ``expect'' package of (at least RedHat 6.2) generates
    only  a  relatively  small  number  (2^15 for the default password
    length) of passwords.   Presumably this is  a result of  trying to
    apply  too  many  rules  of  what  is  a  ``good'' password to the
    generation process.

    Simple test:

        while [ 1 ] ; do mkpasswd >> /tmp/shez/passwords ; done
        sleep 16000 # this is long enough to demonstrate enough on my machine
        wc -l /tmp/shez/passwords
        113544
        sort -u /tmp/shez/passwords | wc -l
        32193

    This was reported this to redhat last year some time.

    Same goes for RedHat 7.0

        wc -l /tmp/passwords
        188859
        sort -u /tmp/passwords | wc -l
        32166

    From a quick read of  the program code, mkpasswd seeds  its random
    number generator from the process id, which means that the  number
    of different passwords  is controlled by  PID_MAX (which seems  to
    be 0x8000 on current linux systems).

    Due to a fault in  expect (the interpreter that runs  the mkpasswd
    script) it  is trivially  easy to  cause arbitrary  commands to be
    executed by someone else.  (under RH7.0 anyway)

    The search path for libs for it includes /var/tmp/.

    Check out

        http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=28224

    for details, and

        http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=22187

    for an exploit.   (Although the 1st  is marked as  a duplicate  of
    the  2nd,  as  one  of  the  notes  mentions they cover completely
    different areas.  Also note  that the severity ratings of  both of
    them are blank?)

Solution

    Fix is kinda available.