Friday, December 22, 2017

Steam Link Security - Truncated Password - Part #1

I recently bought a Steam Link, and decided to take a look at the internals. So far, not great..

Valve uses a default SSH password of "steamlink", and reminds developers to change it.

Slight problem: Valve only thinks the password is "steamlink"'; it's actually "steamlin". Oops.

Slightly bigger problem: DES being used for BusyBox, and truncates passwords to have a length of only the first 8 characters.

Those who use words at the beginning of their passwords are extremely susceptible to wordlist attacks, as any entropy after the 8 character is irrelevant. As an example, if you changed the password to "development_qNmGYuCVGQTRm5gL" (which is more than random enough), the password actually gets truncated to a simple "develope".

As a temporary fix (provided by Evan Powers), users can manually force the root account to use SHA512 instead.

passwd -a sha512 root

Update #1: Valve tried to "fix" the problem by changing the documentation.. And still got even that wrong.

Update #2: CVE-2017-17878 has been assigned. No response from Valve yet.

No comments:

Post a Comment