MORE SSH Hacking: heads-up

Alexander Dalloz alexander.dalloz at uni-bielefeld.de
Thu Aug 12 17:30:40 UTC 2004 

Am Do, den 12.08.2004 schrieb netmask um 19:07:

> > I was not speaking about the network transfer between client and server. I 
> > thought this was obvious. I was speaking about the possibility to locally, 
> > on the SSHD system itself, to sniff password entries when running "su". 
> > Alexander
> 
> Than that wouldn't be 'sniffing' would it?
> 
> Sniffing pertains to the network..  a 'su' doesn't use any network sockets.

To my knowledge the word sniffing does not only belong to observing
network traffic. See i.e.
http://www.seifried.org/security/articles/20020126-keyboard-sniffing.html or http://www.wired.com/news/privacy/0,1848,49455,00.html.

> You are talking about tracing their processes.. and a normal user can't do 
> that to another user.
> 
> An already logged in user ALSO can't do it, because you can't trace SUID 
> binaries..
> 
> try it 'strace su'.
> 
> You could trojan the su, by putting a 'su' in the path before the system su, 
> and taking their password, recording it, and then passing it to the system 
> 'su'.. but you'd still need to be that user (or root of course, but if you're 
> root.. why would you care?)
> 
> Lastly, you might be able to record it via injected modules using LD_PRELOAD.. 
> But i've never researched this method in depth..   You can easily use 
> LD_PRELOAD though to bypass restricted shells. (Nothing to do with this).

Well, you are right in may aspects. Maybe I was too short with my
comment. I did not say and didn't want to say that logging in as normal
user and then su to root is insecure at all. I just wanted to say that
it weakens the root login, against the possibility to use public key
authentication with SSH login. Not more, not less. I am no hacker nor
cracker, so I have no proof of concept for using the possibility to
"listen" to the input a user makes when su'ing. Again: it would be a
local hack. I am not speaking about decrypting the SSH connection,
either established by password auth nor by pubkey auth. The "weak" point
is the local system, given the attacker has local unprivileged user
permissions.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.7-1.494.2.2smp 
Serendipity 19:22:26 up 8 days, 12:50, load average: 1.52, 1.74, 1.70 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040812/ce7d7373/attachment-0001.sig>

More information about the fedora-list mailing list