Bug#305600: [Pkg-shadow-devel] Bug#305600: login is vulnerable to local pishing attacks

Gerhard Schrenk Gerhard Schrenk <gps@mittelerde.physik.uni-konstanz.de>, 305600@bugs.debian.org
Thu, 21 Apr 2005 20:00:16 +0200 

* Christian Perrier <bubulle@debian.org> [2005-04-21 19:15]:
> > 
> > I know. I have not installed vlock, lockvt, xlock, away, (which besides accept
> > passwords from stdin...) but unfortunately I cannot decline politely on login
> > and gdm.
> > 
> > > And I would add that, if your system allows random users to replace
> > > login by such a program, then you have much other problems than
> > > phising.
> > 
> > "touch /etc/nologin" and "apt-get remove gcc" and ...  is not possible.
> > Unfortunately I'm a not a so good paid HiWi (20h/month) for a computer lab.  We
> > cannot afford a smartcard based authentication for all students.
> 
> Please explain me how, on a non compromised system, users can replace
> the login program with something else.

Wasn't that only you in
<20050421051705.GL7188@mykerinos.kheops.frmug.org> who claims this?  I'm
speaking of a simple childish script kiddy script that you start as a
normal local user *without* root access. I thought you have
misunderstood something because you might have a system in mind with
users you trust. I'm speaking of systems with users you don't trust.
Please read my first mail in the bug report and try it. I have the
impression you have read only some answers.

> > * Tomasz K?oczko <kloczek@zie.pg.gda.pl> [2005-04-21 03:48]:
> > > PS. Next time try send this kind of report in 1 april ;-)
> > 
> > Ever read "Surely you'r joking Mr. Feynman". Funniest story was about the
> > crack of the uncrackable safes guarding the atomic bomb's most critical
> > secrets. Not so funny if you're admin of a computer lab for physicists.
> 
> Do all the physicists in your lab have root access to the machine? If
> so, then you have a problem.

No, but they can wrap it, imitate it and start it 

gps@legolas:~$ ls -l /bin/login 
-rwsr-xr-x  1 root root 35512 2004-12-23 22:40 /bin/login

I suggested a different default behaviour of getty / login / inittab to
make it harder for these simple but effective kind of attacks.

Keyboard based authentication is flawed by design but nevertheless you
can improve it. For example login doesn't accept input from stdin to
improve this.

-- Gerhard