Date: Sun, 28 Jun 1998 00:13:13 +0900 (JST) From: Just Another Perl Hacker <japh@gol.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/7090: crypt(3) partially returns raw password when salt isn't null-terminated Message-ID: <199806271513.AAA26526@mew.gol.ad.jp>
next in thread | raw e-mail | index | archive | help
>Number: 7090
>Category: bin
>Synopsis: crypt(3) partially returns raw password when salt isn't null-terminated
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Jun 27 08:20:00 PDT 1998
>Last-Modified:
>Originator: Junichi Kurokawa, AKA Just Another Perl Hacker
>Organization:
Global Online Japan Corporation, Tokyo
>Release: FreeBSD 2.2.6-RELEASE i386
>Environment:
FreeBSD 2.2.6-RELEASE, with MD5 based libcrypt
>Description:
MD5 based crypt(3) in libcrypt.{a,so.maj.min} as distributed
by FreeBSD returns a portion of the password in the clear,
when the salt isn't terminated by a null character.
Example:
crypt("abcdefgh","YX") returns <$1$YXabcdef$.tHXoLufzR8OYyH4BBghm1
^^^^^^
This problem surfaces when an application that assumes a salt
is an array of two characters with no trailing null character
calls crypt(3). Such an example is xlock(1), with USE_XLOCKRC
defined in the compilation.
This is actually an operating system problem of FreeBSD that
can cause any C based application to reproduce; however, only
FreeBSD seems to have both this problem shown herein, and an
implementation of crypt(3) that does not assume that a salt is
a two bytes array with no terminating null character.
DESfied crypt(3) therefore does not exhibit this problem.
Also, FreeBSD's /usr/bin/passwd(1) command puts a null
character with a salt correctly when calling crypt(3).
>How-To-Repeat:
The following code demonstrates that a portioin of the raw
password is exposed in an output of crypt(3).
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PW "abcdefgh"
int
main(int argc, char** argv)
{
char pw[sizeof PW];
char salt[2];
strncpy(pw,PW,sizeof PW);
salt[0]='Y';
salt[1]='X';
fprintf(stdout,"password is <%s>.\n",pw);
fprintf(stdout,"salt is <%s>.\n",salt);
fprintf(stdout,"crypt(3) returned <%s>.\n",crypt(pw,salt));
return EXIT_SUCCESS;
}
% ./followingcode
password is <abcdefgh>.
salt is <YXabcdefgh>.
crypt(3) returned <$1$YXabcdef$.tHXoLufzR8OYyH4BBghm1>.
The salt seen at the second line should merely have been <YX>,
as well as the salt contained in the crypt(3)'s output which
is followed by a portion of the raw password.
>Fix:
Workaround: always terminate a salt with a null character.
Modify the source of an application when necessary.
Real Fix: refrain any use of crypt(3) altogether, until a
meaningful replacement of crypt(3) is implemented;
e.g. md5_crypt(3) as opposed to des_crypt(3), such that a salt
is wholelly copied onto the stack instead of pointed by a
pointer when passed to md5_crypt(3).
Comment to Maintainer: should I submit md5_crypt(3)?
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199806271513.AAA26526>