alpine 3.6
crypto weakness #58

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

util-linux/src/util-linux-2.28.2/login-utils/sulogin.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 crypto weakness.

 		switch ((con->pid = fork())) {
		case 0:
			mask_signal(SIGCHLD, SIG_DFL, NULL);
			/* fall through */
		nofork:
			setup(con);
			while (1) {
				const char *passwd = pwd->pw_passwd;
				const char *answer;
				int failed = 0, doshell = 0;
				int deny = !opt_e && locked_account_password(pwd->pw_passwd);

				doprompt(passwd, con, deny);

				if ((answer = getpasswd(con)) == NULL)
					break;
				if (deny)
					exit(EXIT_FAILURE);

				/* no password or locked account */
				if (!passwd[0] || locked_account_password(passwd))
					doshell++;
				else {
					const char *cryptbuf;
					cryptbuf = crypt(answer, passwd);
					if (cryptbuf == NULL)
						warn(_("crypt failed"));
					else if (strcmp(cryptbuf, pwd->pw_passwd) == 0)
						doshell++;
				}

				if (doshell) {
					sushell(pwd);
					failed++;
				}

				mask_signal(SIGQUIT, SIG_IGN, &saved_sigquit);
				mask_signal(SIGTSTP, SIG_IGN, &saved_sigtstp);
				mask_signal(SIGINT,  SIG_IGN, &saved_sigint);

				if (failed) {
					fprintf(stderr, _("Can not execute su shell\n\n"));
					break;
				}
				fprintf(stderr, _("Login incorrect\n\n"));
			}
			if (alarm_rised) {
				tcfinal(con);
				warnx(_("Timed out\n\n"));
			} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.