[Secure-testing-team] grub: Bootloader password with special chars does not work hashed by pbkdf2
Andreas Sperber
andreas at sperbernest.de
Sun Feb 5 16:07:54 UTC 2017
Source: grub
Severity: important
Tags: security
Setting a bootloader password with special chars in it (at least ":" and
")") hashed by pbkdf2 does not work. On reboot, the password is not
accepted, although no errors were reported during setup process.
EXAMPLE: /etc/grub.d/40_custom
set superusers="user1,user2,user3"
# testPassword
password_pbkdf2 user1
grub.pbkdf2.sha512.10000.2ABB3F3C56A01E70191BB86E8941C37889802FD45DF66C0DC4C1B5AF5162675E944D962D27690E9417B2FD600C60EF34899B1D37C968302F0A9DB5AA92A509AA.F19BC9513049FD0BCB557C0EA22AA0B66BD703895364FD4A62E6AB528141D3B780906049B2FD1F2D86476698A3B94D58C62A23354C2A0170CFDCE93E8C557EAC
# testPasswor:d
password_pbkdf2 user2
grub.pbkdf2.sha512.10000.28F49DE1237C3984961855AD9AF73950C3D223B6CC0A7B1E0A43E6C032CB655F9D284A8ED5F2E431DB4B29561A19E8B3C756272FC4280F67C403E0980D7027EB.DBCAECCE38F2BFD929EC3DEFE76819BFA6877A18110F00087D4133FF65F40BF10CCC93C227EF7F37812FC5C44CC800606C5A6E2EA8B3CF72E52DB162877FD1E0
# testpasswor)d
password_pbkdf2 user3
grub.pbkdf2.sha512.10000.1D57E1E0EB33DEBF78E164C08F09B53A9265CE2F5E54D9A2C66D71FED83CC3AE5647AB1ECEB93E81339FEA4205520441071D250A7512CE0E89E1C76E1FB9377B.C866414C4F6F8904AACBDEB6D7789B0775D36BE9DDF729253B0813B4266593041693C2CD5E929D8C851E832E44A8932925EAD400E4E02A6684BB73B269CE40FF
export superusers
While password for user1 works, passwords for users user2 and user3 do
not work. This was also tested with different combinations.
-- System Information:
Debian Release: 8.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20170205/123da462/attachment.sig>
More information about the Secure-testing-team
mailing list