Bugtraq mailing list archives

Re: Digital Unix 4 protected password database.

From: Alec.Muffett () UK SUN COM (Alec Muffett)
Date: Tue, 16 Mar 1999 22:43:56 +0000

     if (!strncmp(plaintext, ciphertext), ciphertext), 13) {


Could you fix those lines?  I'm a bit confused.  :)  Do you mean

      if (!strncmp(plaintext, ciphertext, 13)) {


It's part and parcel of a typo; apologies, I am suffering the after
effects of having bought my first home, unpacked myself, and am
completely pooped.  Attached is the correction I sent to the first
person who pointed it out.

        - alec

------------------------------------------------------------------

 To: Nate Lawson <nate () root org>
 Subject: Re: Digital Unix 4 protected password database.
 Date: Tue, 16 Mar 1999 12:20:59 +0000
 From: Alec Muffett <alecm@wmp-home>

    if (!strcmp(plaintext, ciphertext), ciphertext)) {


I'm not sure I understand your code example.  Did you mean to say
crypt(plaintext, salt) somewhere in there?


 Oops - typo:  Should read:

        if (!strcmp(crypt(plaintext, ciphertext), ciphertext)) {

 It is an old programmer mantra; since the salt is stored as the first two (or,
 generalised for new crypt() replacements, the first "N") characters of the
 ciphertext, then the ciphertext string *itself* can be passed in as the salt
 string, and the algorithm expected to extract what it needs.

 The joy of this mantra is that it is portable to newer crypt replacements
 which have ciphertexts that look *something* like this in the password file:

        root:$x$saltstring$resultingciphertexthash:0:0:Root User:/sbin/sh:

 ...where the "$" characters are used to delimit the arbitrary field lengths
 that are used, and the "x" is a integer or string mapping to an
 algorithm (MD5, SHA-1, some local variant) which the crypt() front-end can
 switch on, so you can have several different algorithms running in the same
 password file.

 If the first char of the pw_passwd field is *not* "$" then the crypt()
 frontend assumes that it is dealing with a traditional crypt() algorithm.

 Neat, huh?

 This should also illustrate how my poke-hack worked, if you think about it.

        - alec

 ps: you think I should post this to BUGTRAQ as a wider explanation?

 --
        alec muffett, sun professional services, alec.muffett @ uk.sun.com
      anything of importance in your life happened about 10 years ago - atx

Current thread:

Re: Digital Unix 4 protected password database. Darren J Moffat - Enterprise Services OS Product Support Group (Mar 10)
- <Possible follow-ups>
- Re: Digital Unix 4 protected password database. der Mouse (Mar 10)
  - New Security Vulnerability in WinNT Alexandre Stervinou (Mar 12)
  - Re: Digital Unix 4 protected password database. Tim Pierce (Mar 12)
- Re: Digital Unix 4 protected password database. Nate Lawson (Mar 12)
  - Re: Digital Unix 4 protected password database. Alec Muffett (Mar 15)
- Re: Digital Unix 4 protected password database. Alec Muffett (Mar 16)