passwd-like credentials
ID |
passwd_password |
Severity |
low |
Vendor |
- |
Family |
Password |
Description
passwd files are files traditionally used for storage of user accounts in Unix systems.
In modern Unix systems, the password was moved to a separate file, /etc/shadow.
In the case of Apache, the password is stored in the .htpasswd file, and there is a specific detector for it.
Some tools like proftpd (file proftpdpasswd) and SAMBA (file smbpasswd) use this format for basic user account management.
Security
The password itself is hashed (with different hash algorithms, ranging from the insecure crypt() Unix function or MD5 hash, to the more cryptographically robust bcrypt algorithm). The LANMAN hash in smbpasswd is not considered secure.
If any of these files is leaked, passwords are often hashed and cannot be used directly by attackers, but it can be used for dictionary or even brute-force attacks, while in other cases the hashed password can be used in the protocol to authenticate as the user without brute-force cracking or dictionary attacks.
Examples
# Sample proftpdpasswd file bob:$apr1$FaPCZHMe$jYiw5.9UevKx25pBH4AsT/:30:31::/home/bob:/bin/ftpsh
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system (perhaps by regenerating the credentials).
-
Remove the leaked file from the source code.
-
Check access logs to ensure that the secret was not used by unintended actors during the compromised period.