1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.X

  • Bug#869773: xdm logs failed logins that may be sensitive

    From Nicolas George@21:1/5 to All on Wed Jul 26 13:50:01 2017
    XPost: linux.debian.bugs.dist

    Package: xdm
    Version: 1:1.1.11-3
    Severity: normal

    Dear Maintainer,

    When somebody tries to log in and fails, xdm writes the given user name in
    the system logs. Unfortunately, typing the password in the login field is a common mistake. When that happens, xdm logs it too. That leaves the
    password of an user in clear in the system logs. It is not very
    important, but still a little security concern since normally passwords
    are stored permanently on the system only in hashed form.

    The corresponding log line looks like this:

    Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXXXXXXXXXX

    (I have redacted the login that was actually a password.)

    It may be better to not log it at all, or maybe only log it when it matches
    an actual login name.

    Regards,

    --
    Nicolas George


    -- System Information:
    Debian Release: 9.1
    APT prefers stable
    APT policy: (500, 'stable')
    Architecture: amd64 (x86_64)

    Kernel: Linux 4.9.0-3-amd64 (SMP w/2 CPU cores)
    Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
    Shell: /bin/sh linked to /bin/dash
    Init: systemd (via /run/systemd/system)

    Versions of packages xdm depends on:
    ii cpp 4:6.3.0-4
    ii debconf [debconf-2.0] 1.5.61
    ii libc6 2.24-11+deb9u1
    ii libpam0g 1.1.8-3.6
    ii libselinux1 2.6-3+b1
    ii libx11-6 2:1.6.4-3
    ii libxau6 1:1.0.8-1
    ii libxaw7 2:1.0.13-1+b2
    ii libxdmcp6 1:1.1.2-3
    ii libxext6 2:1.3.3-1+b2
    ii libxft2 2.3.2-1+b2
    ii libxinerama1 2:1.1.3-1+b3
    ii libxmu6 2:1.1.2-2
    ii libxpm4 1:3.5.12-1
    ii libxrender1 1:0.9.10-1
    ii libxt6 1:1.1.5-
  • From G. Branden Robinson@21:1/5 to Nicolas George on Fri Jul 28 21:40:02 2017
    XPost: linux.debian.bugs.dist

    --2xmfyb65blrnjws5
    Content-Type: text/plain; charset=us-ascii
    Content-Disposition: inline
    Content-Transfer-Encoding: quoted-printable

    At 2017-07-26T11:51:10+0200, Nicolas George wrote:
    Package: xdm
    Version: 1:1.1.11-3
    Severity: normal

    Dear Maintainer,

    When somebody tries to log in and fails, xdm writes the given user name in the system logs. Unfortunately, typing the password in the login field is a common mistake. When that happens, xdm logs it too. That leaves the
    password of an user in clear in the system logs. It is not very
    important, but still a little security concern since normally passwords
    are stored permanently on the system only in hashed form.

    The corresponding log line looks like this:

    Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXXXXXXXXXX

    (I have redacted the login that was actually a password.)

    It may be better to not log it at all, or maybe only log it when it matches an actual login name.

    Hmm, yes, that's bad.

    Here's a quick-and-dirty, untested patch. I didn't even compile-test it because I can't get stock xdm to build on my Debian Stretch system. The
    xdm codebase is choked with bad style (unused results, discarded
    qualifiers) that causes the compile to bomb long before it gets to
    greet.c.

    "Somebody should do something about that," he said, peering around a
    corner into a mirror.

    Regards,
    Branden

    --2xmfyb65blrnjws5
    Content-Type: text/x-diff; charset=us-ascii
    Content-Disposition: attachment; filename="xdm.patch"

    --- xdm-1.1.11/greeter/greet.c.orig 2017-07-28 14:20:44.649055209 -0400
    +++ xdm-1.1.11/greeter/greet.c 2017-07-28 14:21:09.812798680 -0400
    @@ -405,12 +405,9 @@
    FailedLogin (struct display *d, const char *username)
    {
    #ifdef USE_SYSLOG
    - if (username == NULL)
    - username = "username unavailable";
    -
    syslog(LOG_AUTHPRIV|LOG_NOTICE,
    - "LOGIN FAILURE ON %s, %s",
    - d->name, username);
    + "LOGIN FAILURE ON %s",
    + d->name);
    #endif
    DrawFail (login);
    }

    --2xmfyb65blrnjws5--

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEh3PWHWjjDgcrENwa0Z6cfXEmbc4FAll7gi4ACgkQ0Z6cfXEm bc7qRg//RJOP2scEzEPW1E1psk5cOSRNWcLQYcYajSAlKdkc2AforfF7yQh3kci7 yrhRgOIgiOefEI3v9w4fL5C5bGpWjS+kjEZxJ9KXiQfxg5gJCZqJsBWqCM1IcPTL RJ3CfwN0BemE/xZttatbrNX7TTnhm8xJ8cUeoo0mL3C1kvCJhfHO/lPelvO6219X OP1TChBudQ2CptRijWYvf+STzK9R/r1bKS8gzojHq+hGF4RePjjje1GPZLDbf7iR TUqCyyNIHn4uY5x7H37x5N50mc+i8MS7TcMLOBEJeOSuKK1LetSpofjcBvG3Mfl/ dMSrNPn4p+3QeMko5Y84wa0Kzlm28ySfzmmW35HbAF3FvnJxuHjm+EQs5myabPXh
    yprFdHQ6M/1T
  • From Julien Cristau@21:1/5 to Nicolas George on Fri Jul 28 22:00:02 2017
    XPost: linux.debian.bugs.dist

    On Wed, Jul 26, 2017 at 11:51:10 +0200, Nicolas George wrote:

    Package: xdm
    Version: 1:1.1.11-3
    Severity: normal

    Dear Maintainer,

    When somebody tries to log in and fails, xdm writes the given user name in the system logs. Unfortunately, typing the password in the login field is a common mistake. When that happens, xdm logs it too. That leaves the
    password of an user in clear in the system logs. It is not very
    important, but still a little security concern since normally passwords
    are stored permanently on the system only in hashed form.

    The corresponding log line looks like this:

    Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXXXXXXXXXX

    (I have redacted the login that was actually a password.)

    It may be better to not log it at all, or maybe only log it when it matches an actual login name.

    Isn't that true pretty much whichever way you log in (ssh, login, ...),
    not just xdm?

    Cheers,
    Julien

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Julien Cristau@21:1/5 to Sven Joachim on Fri Jul 28 22:20:01 2017
    XPost: linux.debian.bugs.dist

    On Fri, Jul 28, 2017 at 21:06:47 +0200, Sven Joachim wrote:

    The unknown username should not be in the log, login(1) replaces names
    of non-existent users with "UNKNOWN" when logging failed attempts.

    How about this then (not even build tested):

    diff --git a/greeter/greet.c b/greeter/greet.c
    index 9b5cef4..ba4b3da 100644
    --- a/greeter/greet.c
    +++ b/greeter/greet.c
    @@ -405,6 +405,9 @@ static void
    FailedLogin (struct display *d, const char *username)
    {
    #ifdef USE_SYSLOG
    + if (!getpwnam(username))
    + username = "unknown user";
    +
    if (username == NULL)
    username = "username unavailable";


    Cheers,
    Julien

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sven Joachim@21:1/5 to Julien Cristau on Fri Jul 28 22:10:02 2017
    XPost: linux.debian.bugs.dist

    On 2017-07-28 20:49 +0200, Julien Cristau wrote:

    On Wed, Jul 26, 2017 at 11:51:10 +0200, Nicolas George wrote:

    Package: xdm
    Version: 1:1.1.11-3
    Severity: normal

    Dear Maintainer,

    When somebody tries to log in and fails, xdm writes the given user name in >> the system logs. Unfortunately, typing the password in the login field is a >> common mistake. When that happens, xdm logs it too. That leaves the
    password of an user in clear in the system logs. It is not very
    important, but still a little security concern since normally passwords
    are stored permanently on the system only in hashed form.

    The corresponding log line looks like this:

    Jul 26 11:32:31 hellroy xdm[1004]: LOGIN FAILURE ON :0, XXXXXXXXXXX

    (I have redacted the login that was actually a password.)

    It may be better to not log it at all, or maybe only log it when it matches >> an actual login name.

    Isn't that true pretty much whichever way you log in (ssh, login, ...),
    not just xdm?

    The unknown username should not be in the log, login(1) replaces names
    of non-existent users with "UNKNOWN" when logging failed attempts.

    Cheers,
    Sven

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Nicolas George@21:1/5 to All on Fri Jul 28 22:50:02 2017
    XPost: linux.debian.bugs.dist

    Le decadi 10 thermidor, an CCXXV, Julien Cristau a �crit�:
    Isn't that true pretty much whichever way you log in (ssh, login, ...),
    not just xdm?

    Probably. I just noticed it and verified it on xdm. If other login
    prompts have the same issue, a common solution may be better.

    Note that with ssh, there is no login prompt, normally.

    Regards,

    --
    Nicolas George

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCAAdFiEE6ooRQGBoNzw0KnwPcZVLI8pNxgwFAll7h4sACgkQcZVLI8pN xgx/fw//USlEl5vQqk6KW2MFK+5ki7wkgSDdvrYG2Iswh1S6EoGej13SD3zUXRe9 14i3zDeRs7T6CVKWx/SchlV+kH2p+LqMBlRpRhbIKng1+ZOcV83qfpgsEjLneKnj W1ryGri5kcj5nBZ6pgCPx4wiUxk+PxSj09dlMjCey8AQsqKfgDqBdSHL09YG/eFW upkjXUEFE01YK8nbx6tJGmboSw+UEeNpjpx7lhlBB65fcj+ylV95f6OQrg411jMg ZdwiLiJCXLB4UU8PLi8C90nv1dqK8DK2YsmAvAOfW7y5WndzsrRzwUgI+tt5vwO4 uWB8gRmFbhY2+JZpk+ETistlt8r1AeCstpVwjeyOvFx27UztE7RtjXiX2CE4+x79 XqNNsTv8eHjyGIzg+yJd1J5gSWPtjlQDt6X5qOCahMYnskxJN+QgqG7sMak6coI6 c/J3OgK7O7cjL0oQKzpIM+4NXj9jq8uzY5gyrfqcTp/Qwgn94p0lhuhLblZEsoz4 kubs47YK3iixI7fMK4qFY6zgXHDuMHd3xtsDgbDeKG8lTG+md/7JwHKeqdlfnKbi aX9hTizcHlKNSm3EkdUcvUW37I7meQU/xJelWmJPTITN81h3gwzhNfy5c7vbXDkS ScEGp3BC85VLPL2N6E0lWJSzBRU5ojNrz9IpZ0uP5v+b5usNr68=
    =nZIO
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)