Root Password Readable in Clear Text with Ubuntu 520
BBitmaster writes "An extremely critical bug and security threat was discovered in Ubuntu Breezy Badger 5.10 earlier today by a visitor on the Ubuntu Forums that allows anyone to read the root password simply by opening an installer log file. Apparently the installer fails to clean its log files and leaves them readable to all users. The bug has been fixed, and only affects The 5.10 Breezy Badger release. Ubuntu users, be sure to get the patch right away."
Re:Just in case (Score:2, Interesting)
Re:Open Password! (Score:5, Interesting)
Re:Saw this on Digg (Score:4, Interesting)
I know this rationale gives everybody the warm fuzzies, but this is still a really bone-headed mistake. You guys really shouldn't be this forgiving about it.
Re:Saw this on Digg (Score:5, Interesting)
Interestingly enough Microsoft did make pretty much the same mistake, with Microsoft SQL 7, both servicepack 1 & 2. They wrote the SQL administrator password to the installation log file, which would give you full access to any SQL database on the server. Written to a logfile in the TEMP folder, which by default has full read/write access for any user on the system.
Security bulletin: https://www.microsoft.com/technet/security/bullet
(The 'non-recommended' mode mentioned is using SQL authentication instead of windows NTLM authentication, which much more common then they try to make it sound)
Choose strong obscure passwords (Score:5, Interesting)
Many people know how to generate these special characters but I'll mention anyway: using the ALT/META key and the NUMPAD keys. Having a character map printout handy so you know the DEC (decimal) values of these special characters is a good idea if you decide to implement one of these passwords. Punch in ALT-DecimalValue with number lock on.
They may not work in some situations if special characters and not allowed, but you'd be surprised that they do work most often.
I bet most dictionary attacks don't run through many special characters. The cracker is lazy too and will probably not even consider that you chose a funny character which does not even exist on the keyboard.
Remember not to use NULL (#0) though, for crying out loud.
Re:But Ubuntu has no root account! (Score:1, Interesting)
Legal before security-the openssl vs netatalk mess (Score:5, Interesting)
The netatalk package, which provides Appletalk services (most commonly used servies are AFP, ie filesharing, and papd, the printing spooler), isn't compiled in with ANY encrypted password support. If you connect to a debian or debian-based appletalk fileserver, you get a warning you are transmitting your password in clear-text. Yes, we're jumping about 10 years BACKWARDS in security.
Why? Because the legal-circle-jerk that is the debian-legal mailing list, decided that it wasn't "legal" to link netatalk (a GPL project) to OpenSSL (license supposedly incompatible with GPL.) This doesn't stop every other distribution on the planet from compiling netatalk with openssl, and hence supporting encrypted passwords.
They politely suggested that GnuTLS, which isn't even remotely drop-in, be used instead. That was back in 2002...and the issue still hasn't been addressed. I filed a bug on it and the bug was simply ignored.
Re:Root password should never be recorded, ever (Score:3, Interesting)
I assume that the OpenBSD installer runs passwd to set the root password during installation, similar to NetBSD.
But if either of these OS's went to a graphical installer they would need to write a graphical passwd command which makes an effort to keep the plain text out of swap files, insecure memory, etc.
That's a big ask, IMHO. Which doesn't mean its ok to print the thing out, just that doing it properly is very hard.
But in this day and age of development frameworks, etc, there is less of a need for a programmer to think about the meaning of what he is reading from the UI. The backend programmer may assume that the UI guy understands about passwords, but he may not, to.
Does not apply to expert mode installs (Score:3, Interesting)
https://launchpad.net/distros/ubuntu/+bug/34606 [launchpad.net]
Re:Choose strong obscure passwords (Score:3, Interesting)
Null termination is evil. Every buffer overflow you read about is a side-effect of null termination which could be avoided -- at the cost of two bytes per every sixty-five-thousand bytes of string.
Re:Time From Discovery to Patch (Score:1, Interesting)
Personally, I stumbled on the flaw last month, completely by accident, reading logs on a system to which I have remote (unprivileged) access. Naturally I had to test the (enabled) root account to see if it worked. It did. So strike one for that whole "more eyes" thing. Posting anonymously for obvious reasons.
Re:Open Password! (Score:2, Interesting)
Re:Saw this on Digg (Score:5, Interesting)
You can't be root in Ubuntu; you have to consciously make the decision to run software as root by typing 'sudo' before it. (Actually you can run a shell under sudo, but still.) The idea was that since you can't login as root, the system is more secure and resists exploits that try to gain root access. This vulnerability is the kind of stupid mistake people make sometimes.
There is another stupid vulnerability I noticed in Ubuntu, which relates directly to the missing root password: If something goes wrong during system startup (e.g. a failed fsck), usually you are prompted for the root password to open the rescue console and fix the issue. Not so with Ubuntu: Since there is not root password, you will be thrown into a root shell without any hesitation. Kind of strange, is it? One could argue that once you have physical access to the system, you have a lot of possibilities to circumvent the system's security, but I found this issue to be rather harsh.
Re:Place it in context of surroundings (Score:2, Interesting)
Re:What does patch help? (Score:3, Interesting)
You think that--within one week of installing--someone who already has a valid login to your machine would have 0wned your box using this security hole? What, was it a server or something?
If it was just your desktop machine, then yeah, this is crappy, but it's hardly a disaster, and the odds are pretty good that not even one person running Ubuntu on a simple desktop machine was harmed by this at all.
If the problem is in the installer which is only run once, am I correct in assuming that using a 'dummy' password during the install and changing it afterwards will leave only the dummy password on disk?
Er, or you could just edit line 2140 (IIRC) of
Re:Choose strong obscure passwords (Score:3, Interesting)
Re:Does not apply to expert mode installs (Score:3, Interesting)
Re:Time From Discovery to Patch (Score:3, Interesting)
The bigger scare factor here is that the Ubuntu repos are presumably running Ubuntu. You can moan on about md5 security and RSA signatures, but when the private keys are readable all bets are off. Let's hope they run netBSD.
I should point out that while I am using breezy, I don't have this problem in my install log and neither did anyone else I know using Ubuntu. Probably because I installed it long long ago, before this particular vuln existed. Additionally, I've read it doesn't happen in dapper, the next version in testing. Oh, and calling Ubuntu's installer "graphical" would be far too generous.
Re:Solution (Score:1, Interesting)
Re:Use the right tool... (Score:4, Interesting)
Re:Saw this on Digg (Score:4, Interesting)
Encrypting the hard drive is an answer, but then you have the problem of where do you store the key to access it? If it's stored in the bootloader or the kernel then that can be extracted by the attacker if they have physical access to the system. This is basically the same as the DRM problem - you can encrypt the content but you always have to decrypt it to use it so you need the key stored somewhere and that is always a possible attack vector.
Also, you need to think very carefully about the ramifications of encrypting data - if you lose the key you're screwed.
Encrypting the hard drive using keys stored in Palladium is an option but it only protects you from someone removing the drive and installing it in another machine, and again - if you motherboard (with it's Palladium chip) blows up you're buggered.
Elitist is still better than business freeloader (Score:1, Interesting)
There is no kool-aid that creates software magically. Either
a) have competence to fix stuff yourself or
b) pay someone to fix them
Yes there is people who do stuff out of goodwill, but like you have found out, they work only on issues they find themsefl interesting, which (this seems to be a suprise for you..) might not be the problem your BUSINESS is seeing.
I have neither the time, ability, knowledge nor inclination necessary to run around fixing complex software.
Yet you have no problem making your LIVING using such software. There are people people who have those skills and would be happy to fix those pieces for your company for modest fees.
You are the only person gullible here, if you really think Free Software is perfect out of box for you specific business needs.
If you did not have that Asshat attitude, you would have noticed funding netatalk to use gnutls instead of being a license violation, would not cost much, and would give the warm fuzzy feeling of improving OSS world for everyone. But sure, use your worktime to whine slashdot to annoy and demotivate people. It might be as effective..
Re:"you should fix it" is elitist bullshit (Score:1, Interesting)
And yet for some reason you think that other people who have bothered to acquire the necessary skills should do the work for you, without being paid.
Where do you get off on expecting to get stuff you want for free?
With free software, the answer to your problem is "Go and pay somebody to fix it for you". That wouldn't be difficult, there are loads of people who will do this kind of work and it won't cost very much for simple bugs.
With proprietary software, the answer to your problem is usually "It is not economically viable for us to fix this bug. Put up with it." - and even if the vendor is willing to fix the bug, it's probably going to cost you a lot more money.
The point of free software is not that people do stuff you want for free. It's that the stuff you want is actually possible (maybe at some cost), where with proprietary software there is a good chance that the stuff you want is not possible.
Of course, like most grad student blowhards, you have zero comprehension of any of this.
Re:Choose strong obscure passwords (Score:3, Interesting)
The game would show the passcode as a series of periods ("."), replacing a random number of them with the actual codes. By using several of these devices, you could get several or all of the characters in the passcode by repeating the attempt.
A common defense was to use passcodes that consisted of periods, spaces, and alt-255, which on IBM-compatible systems of the time generated a character that looked onscreen like a space but wasn't.
This was especially effective if the attacker was on a system that couldn't easily generate the alt-255 character.