Bug#305600: [Pkg-shadow-devel] Bug#305600: login is vulnerable to local pishing attacks

Gerhard Schrenk Gerhard Schrenk <gps@mittelerde.physik.uni-konstanz.de>, 305600@bugs.debian.org
Fri, 22 Apr 2005 16:03:03 +0200 

* Christian Perrier <bubulle@debian.org> [2005-04-22 08:33]:

> OK, as a normal user, I can start a fake login program and have it
> mimic the bahaviour of /bin/login.
> 
> But, how could I really have other users run it and believe this is the
> normal login program? Sending them an email which says "Please
> run that login program you'll find in my home"?

<Disclaimer>
All I wrote bellow this Disclaimer was before I realized
that we seem to have different configured machines...I wrote the script
on my private machine where I don't get the error message 

|No utmp entry. You must exec "login" from the lowest level "sh"

Replacing s|exec login|exec login 2> /dev/null| (and maybe installing
dash as /bin/sh) seems to circumvent this message on the machine in our
lab.

But anyway you can replace s/exec login/exec su $user/
</Disclaimer>

The point is you start it as legitime user alice with 
alice:~$ exec pishing.sh

Alice replaces her shell with the pishing skript. Bob goes to the
terminal and tries to login als bob. After terminating the
script (by either logout or failed second logout) init respawns the new
(unfaked) login, but alice kann read the password of the faked failed
login in /tmp/nosecret. 

This week I wanted to rewrite a replacement for the fundamentally flawed
(vlock, away, lockvt, ...). I wanted a kind of unpishable screensaver
for the vt to save users who have forgotten to logout...  I had a look
into the source of login which I condsider to be saver(r). Now I know
login, {x,w,k,..)dm are fundamentally flawed too. :(

I always thought of attacks like you do. Find a way that the other user
executes your pishing script of su, passwd or a faked screen locking
program. The easiast way to do this in a computer lab is normally to
find a running session where the user has forgotten to logout. Come to
us you will always find one. Then the *local* attacker without
legitimate access to your system can start a faked vlock or xlock or
simply

  echo "attacker public key" >> .ssh/authorized_keys

But these kind of attacks are in the responsibility of the users who
have forgotten to logout their session. It's their fault if they have to
pay the high printing bill for pages they never printed themselves. The
one I proposed to fake the login session is not so obviously the fault
of the pished victim.

My nasty workaround ist to always "zap" before you login. Better
solutions are *very* welcome. I even propose to disclose immidiately
this bugreport because I'm *heavily* affected by this possible class 
of mass bug filing...

You could put in /etc/issue a User counter, e.g. (see getty(8))

\U at \t

But we allow ssh-logins, simulations and then there are always the users
who "zap" with ctrl-alt-del to terminate the sessions and are false
counts and appear unter w, who, rwho. OTOH I don't want to dissallow
zapping because its the only safe way to login under X...

-- Gerhard

P.S.: On my private system I was even able to ameliorate my pishing
script with openvt and chvt. Then the attacker can logout and isn't
visble with w, who, rwho. But after editing /etc/inittab I'm not allowed
to do this anymore. Maybe a unreproducible bug?