LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-25-2010, 03:54 PM   #1
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,118

Rep: Reputation: 46
Linux login password echoed.


Kernel 2.6.21.5, Slackware 12.0
GNU bash 3.11.17

Hi:
Being in a text console (VT, that is, the screen with 25 x80 chars), say tty1, and just after booting linux, I logged in as usual, typing my password. What happened then astonished me. In Slackware distros, a small quotation from some book is written on screen just after typing the correct password. Well, after typing my password, I could see it split into two halves instead of the quotation.

I think this clearly indicates the presence of a virus in my hard disk. Does it? Regards.

Last edited by stf92; 11-25-2010 at 03:58 PM.
 
Old 11-26-2010, 03:32 AM   #2
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE 13.1 / 12.3_64-KDE, Ubuntu 14.04, Fedora 20, Mint 17, Chakra
Posts: 3,650

Rep: Reputation: Disabled
Virus? I doubt it. AFAIK there is none in the wild for *nix systems.

How is this quote handled in Slackware, is it an internet based QotD (http://en.wikipedia.org/wiki/QOTD) or is a file used?

In both circumstances I would assume that the message you got has some escape sequences (commands for the terminal VT) which cause the splitting. Is this reproducible?
 
Old 11-26-2010, 03:37 AM   #3
JoshyJ
Member
 
Registered: Nov 2003
Location: Sydney , Australia
Distribution: Fedora
Posts: 49

Rep: Reputation: 1
Get a screen scrape if possible.
 
Old 11-26-2010, 03:45 AM   #4
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,118

Original Poster
Rep: Reputation: 46
Quote:
Originally Posted by JZL240I-U View Post
Virus? I doubt it. AFAIK there is none in the wild for *nix systems.

How is this quote handled in Slackware, is it an internet based QotD (http://en.wikipedia.org/wiki/QOTD) or is a file used?

In both circumstances I would assume that the message you got has some escape sequences (commands for the terminal VT) which cause the splitting. Is this reproducible?
It is a data base on disk from where the system gets the quotations, not internet. And yes, the file "issue" (may be "motd") contains the string 'Linux x.x.x' and some escape sequences. But the splitting happened only once. more importantly, is the fact the the password was echoed on the VT. Of course, then, it is not reproducible.
 
Old 11-26-2010, 03:48 AM   #5
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE 13.1 / 12.3_64-KDE, Ubuntu 14.04, Fedora 20, Mint 17, Chakra
Posts: 3,650

Rep: Reputation: Disabled
So, do you know which message in the file (issue?) was to be displayed when the screen split? If so, is there a method to display this again in the same terminal-(type)?
 
Old 11-26-2010, 03:53 AM   #6
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,118

Original Poster
Rep: Reputation: 46
My fault. There are lots of messages, and each session get it own one. Instead of one of the messages getting displayed (there are hundreds of them), the "message" consisted of my password and this, splitted.
 
Old 11-26-2010, 03:58 AM   #7
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE 13.1 / 12.3_64-KDE, Ubuntu 14.04, Fedora 20, Mint 17, Chakra
Posts: 3,650

Rep: Reputation: Disabled
Understood. What I am driving at is the possibility that one of these messages was garbled in a way to include the escape sequences to split the screen (and simultaneously suppressing the hiding of your password, thus displaying it in clear text). Shouldn't happen and is clearly a bug, but also it is at least a hypothetical explanation of what happened.

But I'm out of my depth here, security gurus to the fore please .
 
Old 11-27-2010, 05:15 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
A 'getty' is connected to a TTY, waits for user input and hands the login process over to 'login' which finally hands over control to the users shell. Well-documented as they are you can read that all binaries in this chain of processes handle escape sequences and read different configuration files. On top of that error output may be logged to the screen and syslog. It would be good to know if the OP has verified the integrity of installed core packages, if he has made any modifications to configuration files that relate to the whole login process or shell behaviour, if he has has replaced (or installed PPP/Fax-tty-related) any software and if any syslog log file holds any clues. If no changes were made and no errors get logged I would disable any MotD and try again. If that doesn't work then see what running a forced getty like 'mingetty --noissue tty1' shows.
 
Old 11-29-2010, 01:25 AM   #9
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE 13.1 / 12.3_64-KDE, Ubuntu 14.04, Fedora 20, Mint 17, Chakra
Posts: 3,650

Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
...all binaries in this chain of processes handle escape sequences...
Are these binaries controllable by the escape sequences or do they just hand them to next instance? (That was my original idea. Your hints for the OP are much more concise, thanks for coming to the rescue, unSpawn).
 
Old 12-11-2010, 11:49 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Sorry for the late reply. I wouldn't say "controllable" but that escape sequences in resource or configuration files are used to modify output. Sure it would be a bug if an escape sequence modifies output in a way that it echoes the actual password or pass phrase on stdout but to troubleshoot that properly one should first return resource and configuration files to an earlier or initial state so things don't get obscured.
 
Old 12-11-2010, 02:42 PM   #11
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,118

Original Poster
Rep: Reputation: 46
I warmly acknoledge your suggestion, but bear in mind I'm just a novice. There are two possibilities. This can happen right from a fresh installation, in which case it is clearly a bug, or after a certain period of use, as is my case. If the latter, an appropriate procedure, including your hints, could tell whether there is a bug, although it could not tell if there is not.

If the first, this _must_ be known to the slack guys (unfortunately I use 12.0 and do not want to update any further). Regards.
 
Old 12-11-2010, 05:29 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,112
Blog Entries: 54

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
I'm pretty sure that if this actually was a 12.x bug that it would have been fixed fast in upstream. I've never seen it happen in 12.x or 13.x but then again I run it stock, absolutely no mods.
 
Old 12-11-2010, 07:41 PM   #13
stf92
Senior Member
 
Registered: Apr 2007
Location: Buenos Aires.
Distribution: Slackware
Posts: 3,118

Original Poster
Rep: Reputation: 46
I'll ask in the slack forum (LQ) for a way to get rid of those quotations, because with or without a bug, I was already tired of them. Once in a while, I see myself forced to read one. And believe me, I'm not at all interested in the high thoughts of Sir Winston Churchill. Have a good Sunday.
 
0 members found this post helpful.
Old 12-13-2010, 01:15 AM   #14
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE 13.1 / 12.3_64-KDE, Ubuntu 14.04, Fedora 20, Mint 17, Chakra
Posts: 3,650

Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
...I wouldn't say "controllable" but that escape sequences in resource or configuration files are used to modify output...
Yes, that is a more fitting expression. As I understand it by now, at any link of the chain of processes the first binary with the inbuilt capability to process an escape sequence does so (and removes the escape sequence in this process) until all are used up else they are part of the output.

Thanks for coming back, unSpawn .
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
seen a Visual Password login for Linux? like the droids 9 circle password? szboardstretcher Linux - Software 3 03-07-2011 09:49 AM
Username and password to login Suse linux 10 honghoahoi Linux - General 4 01-20-2010 10:50 PM
What is the login and password for suse linux 10.0? solidsnake8282 Linux - Newbie 1 02-04-2007 12:31 PM
Suse Linux 8.2 Professional .. login and password _ Laur2150 Linux - Security 5 03-15-2004 04:32 AM
Howcome everything is echoed outside of X? purpleburple Linux - General 2 11-12-2002 03:26 PM


All times are GMT -5. The time now is 04:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration