Bug#305600: [Pkg-shadow-devel] Bug#305600: login is vulnerable to local pishing attacks

Tomasz Kłoczko Tomasz KĹ‚oczko <kloczek@zie.pg.gda.pl>, 305600@bugs.debian.org
Thu, 21 Apr 2005 03:48:07 +0200 (CEST) 

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--568760595-1848109693-1114048087=:6082
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE

On Thu, 21 Apr 2005, Gerhard Schrenk wrote:

> Package: login
> Version: 1:4.0.3-30.7
> Severity: important
> Tags: security
>=20
> Every local user can simply start a little program that imitates login an=
d
> grabs the password pretending it's wrong. It's really hard for the averag=
e user
> to spot the difference  and to make sure that he really didn't mistype th=
e
> password.  Most users have no read access to /var/log/auth.log and thus c=
annot
> check afterwards.  If the attacker crashes X so that it doesn't restart
> (unreproducible but quite easy for users who have reached their quota lim=
it...)
> and disable ssh (pulling of the network cable) you have good chances to g=
et the
> password of your local admin/root.
>=20
> Proof of concept:
[..]

Using your sense of "vulnerable" word anyone can say also any of
xdm, gdm, kdm application is also "vulnerable" because you can write=20
"little program" which will have look & fill like login prompt of any
this kind program :)
Sorry byt this kind of "concept" like your is so old as unices are :)

If you are right naming this as "vulnerability" it will be also true: any=
=20
Home Banking portal is also "vulnerable" because you can write "little
program" which will heve the same/similar look & fill to orginal Home=20
Banking portal (placing them in your opened X session as web browser :)
Q: Is it true ? A: of course not ..

Yes .. it can be problem in some enviroments but this not=20
login/gdm/xdm/kdm and also agetty related problem and also this is not=20
stricte vulnerability which can be solved in any this kind applications.

kloczek
PS. Next time try send this kind of report in 1 april ;-)
--=20
-----------------------------------------------------------
*Ludzie nie maj=B1 problem=F3w, tylko sobie sami je stwarzaj=B1*
-----------------------------------------------------------
Tomasz K=B3oczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek@rudy.mif.pg.gda.p=
l*
--568760595-1848109693-1114048087=:6082--