Login Spoofing

From Kicksecure
Jump to navigation Jump to search

It is possible for malware to masquerade as a login prompt in order to steal login passwords. This page documents this advanced threat model and how to prevent malware from sniffing the root password using SysRq + r. (unraw)

Introduction[edit]

This attack assumes an advanced threat model:

  1. A system is configured with a limited user (user "user") which utilizes a graphical X Window System session that is different from the user with root/sudo permissions (user "admin").
  2. The limited user is compromised at some point by malware.

Or:

  1. Multiple non-root users sharing the same computer and using different virtual terminals (VT).
  2. A compromised or malicious user could pretend to have logged out from the VT but actually have started a spoofed login screen.

Note: If there is only one user account which also has sudo/su access, malware can sniff the administrative password and it is unnecessary to utilize an advanced login spoofing attack.

Security Benefit of Compartmentalization[edit]

Under many threat models, the compromise of the limited user account is considered catastrophic, since running malware:

  • has full access to all user-accessible files,
  • can view all keyboard inputs and take over login sessions,
  • may present false information on the screen, and
  • can perform other malicious actions, see: The Importance of a Malware-Free System.

However, if multiple (virtual) machines are used for compartmentalization, the harmful impact of malware might not be catastrophic. For instance, other goals of this configuration include prevention of root compromise to help protect the virtualizer and avoid host compromise, and similarly to avoid hardware compromise. This is further elaborated in the rationale section of the Safely Use Root Commands wiki chapter.

A broken X Window System can block switching to a virtual console. It logically follows that malware which has compromised the X Window System can also perform this action. In this case, the SysRq + r combination can take control away from the X Window System. [1] This is a safer procedure; otherwise, a compromised X Window System could simulate a virtual console login prompt in order to sniff an account login password with root access. (login spoofing in Wikipediaarchive.org).

SysRq + k (Secure Access Key) can be used to defeat login spoofing because it will terminate all programs on that virtual console.

Quote Linux Kernel Documentationarchive.org:

Sak (Secure Access Key) is useful when you want to be sure there is no trojan program running at console which could grab your password when you would try to login. It will kill all programs on the given console, thus letting you make sure that the login prompt you see is actually the one from init, not some trojan program.

Quote Linux Kernel Secure Attention Key Documentationarchive.org:

An operating system's Secure Attention Key is a security tool which is provided as protection against trojan password capturing programs. It is an undefeatable way of killing all programs which could be masquerading as login applications. Users need to be taught to enter this key sequence before they log in to the system.

Even if using Wayland as a replacement for the X Window System:

Taking steps to defeat login spoofing probably only makes sense when also performing actions to Prevent Malware from Sniffing the Root Password.

Kicksecure Default[edit]

The SysRq Key is disabled in Kicksecure by default for security reasons. See System Recovery using SysRq Key on how to enable it.

See Also[edit]

Footnotes[edit]

  1. This is because the Linux kernel removes control of the X Window System from the console. The Linux kernel has higher privileges than the X Window System.

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!