Re: MORE SSH Hacking: heads-up

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am Do, den 12.08.2004 schrieb netmask um 19:07:

> > I was not speaking about the network transfer between client and server. I 
> > thought this was obvious. I was speaking about the possibility to locally, 
> > on the SSHD system itself, to sniff password entries when running "su". 
> > Alexander
> 
> Than that wouldn't be 'sniffing' would it?
> 
> Sniffing pertains to the network..  a 'su' doesn't use any network sockets.

To my knowledge the word sniffing does not only belong to observing
network traffic. See i.e.
http://www.seifried.org/security/articles/20020126-keyboard-sniffing.html or http://www.wired.com/news/privacy/0,1848,49455,00.html.

> You are talking about tracing their processes.. and a normal user can't do 
> that to another user.
> 
> An already logged in user ALSO can't do it, because you can't trace SUID 
> binaries..
> 
> try it 'strace su'.
> 
> You could trojan the su, by putting a 'su' in the path before the system su, 
> and taking their password, recording it, and then passing it to the system 
> 'su'.. but you'd still need to be that user (or root of course, but if you're 
> root.. why would you care?)
> 
> Lastly, you might be able to record it via injected modules using LD_PRELOAD.. 
> But i've never researched this method in depth..   You can easily use 
> LD_PRELOAD though to bypass restricted shells. (Nothing to do with this).

Well, you are right in may aspects. Maybe I was too short with my
comment. I did not say and didn't want to say that logging in as normal
user and then su to root is insecure at all. I just wanted to say that
it weakens the root login, against the possibility to use public key
authentication with SSH login. Not more, not less. I am no hacker nor
cracker, so I have no proof of concept for using the possibility to
"listen" to the input a user makes when su'ing. Again: it would be a
local hack. I am not speaking about decrypting the SSH connection,
either established by password auth nor by pubkey auth. The "weak" point
is the local system, given the attacker has local unprivileged user
permissions.

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.7-1.494.2.2smp 
Serendipity 19:22:26 up 8 days, 12:50, load average: 1.52, 1.74, 1.70

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux