Re: FW: 33 character encrypted passwords in /etc/shadow

[Paul Gear <paulgear () bigfoot com>]

Mike Denka wrote:

> Thanks for all the responses to my original query.  It's pretty clear
> that I missed the md5 encryption on newer versions of Red Hat which is
> what got me sweating in the first place.
>
> Thanks also for all the suggestions for checking file integrity on Red
> Hat machines.  Looks like rpm verification and tripwire are the only
> options next to having a non-connected machine with a fresh install
> somewhere to compare against.  Too bad.  Not that those are terrible
> options, but the Solaris Fingerprint database
> (http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl) is a great tool.
> Maybe someday we'll have similar tools for our favorite open source
> O/S's.
>
> Mike

Mike,

An MD5 checksum of the files is exactly what rpm -V does.  All you have to do
to get the same effect is keep a copy of your package files on read-only media
(i.e. burn a CD and keep it in the machine), and run the rpm -Vp against it
from cron each night.  Obviously you'll have to update the CD each time a
package is updated in the errata.  A CD-RW disk would probably be good for this
purpose (making sure it's mounted in a CD-ROM drive, not a burner) - matter of
fact, i might try that next time i get a chance.  :-)

A simple workaround to Stephen's suggestion that the rpm command could have
been modified is to keep a (preferably statically-linked) copy of the rpm
executable on the CD and run that instead of the copy in /bin.  Obviously,
someone could remove your script from the cron configuration if the system was
compromised, but there's no way of avoiding that.

Regards,
Paul

> -----Original Message-----
> From: Stephen Smoogen [mailto:smoogen () lanl gov]
> Sent: Friday, June 28, 2002 9:42 AM
> To: Mike Denka
> Cc: incidents () securityfocus com
> Subject: Re: 33 character encrypted passwords in /etc/shadow
>
> If the 33 character passwords look like:
>
> $1$blahblahblahblahblah
>
> then the passwords are using M5sum instead of old DES passwords.
> Depending on the version of Red Hat Linux you are running this can come
> from using the authconfig command and turning on MD5sum passwords.
>
> If the password is in the form of
> $2$blahblahblahblahblah
>
> then it is a blowfish algorithm which I think only OpenBSD supports
> currently (but my data is old on this).
>
> The simplest way of checking your machine on Red Hat is to do a
>
> rpm -Va
>
> and look at the output. This checks the binaries on the system with what
> was listed in the RPM database. This is a very simple check and prone to
> being gotten around by good crackers. The next is to do the following:
>
> If the machine has a cdrom, and you have the original media.. mount the
> cdrom and do the following:
>
> rpm -Vp <name of RPM package on cdrom> # to see if they played with RPM
>
> so on my 7.3 machine:
>
> smoogen:{RPMS}$ rpm -qf /usr/bin/passwd
> passwd-0.67-1
> root:{RPMS}# rpm -Vp passwd-0.67-1.i386.rpm
>
> This will give you assurance that the packages as installed from Red Hat
> Linux are there. However it will not tell you about packages/files that
> arent in RPM database... or if the rpm command itself had been altered..


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com