xscreensaver bug?

Eugene M. Kim ab at astralblue.net
Fri Nov 14 14:08:32 PST 2003

Terry Lambert wrote:

>"Eugene M. Kim" wrote:
>>Terry Lambert wrote:
>>>>I'm new in FreeBSD. I found that after I lock screen with xscreensaver,
>>>>I can unlock it with the root's password as well as my normal user's
>>>>password. I don't think it is a good thing. Is it a bug?
>>>It is intentional, although you can eliminate it with a recompile
>>>of the xscreensaver code, with the right options set.
>>Wouldn't this lead to another security hazard, if a user compile his own
>>hacked xscreensaver which captures and stashes the password into a file
>>then runs it and leaves the terminal intentionally, `baiting' root? :o
>Not really.  This type of thing would need to accept pretty much
>everything as a termination password, since there no password it
>can legitimately validate, since a user compiled trojan like this
>would not have access to the password database contents in order
>to perform validation.
>If the trojan is SUID, then they already have root, and don't need
>the trojan.
>Either way, there's no risk to just typing whatever crap you want
>to at it, including a message calling the user an idiot, the first
>time, to see if it's going to let you in without you giving it the
>real root password.

Validating a root password is possible with other means in many cases, 
if not always.  OpenSSH sshd is a good example.  Even with 
PermitRootLogin set to no, the attacker can differentiate whether the 
password has been accepted or not.

If attacker is able enough, he could also run a hacked version of Xnest 
on port 6000+N and the real xscreensaver on :N.0 for a suitable N.  
Attacker would feed the real xscreensaver with the captured password and 
see if the real xscreensaver releases the server grab.


More information about the freebsd-current mailing list