xscreensaver bug?
Eugene M. Kim
ab at astralblue.net
Fri Nov 14 14:08:32 PST 2003
Terry Lambert wrote:
>"Eugene M. Kim" wrote:
>
>>Terry Lambert wrote:
>>
>>>>I'm new in FreeBSD. I found that after I lock screen with xscreensaver,
>>>>I can unlock it with the root's password as well as my normal user's
>>>>password. I don't think it is a good thing. Is it a bug?
>>>>
>>>It is intentional, although you can eliminate it with a recompile
>>>of the xscreensaver code, with the right options set.
>>>
>>Wouldn't this lead to another security hazard, if a user compile his own
>>hacked xscreensaver which captures and stashes the password into a file
>>then runs it and leaves the terminal intentionally, `baiting' root? :o
>>
>
>Not really. This type of thing would need to accept pretty much
>everything as a termination password, since there no password it
>can legitimately validate, since a user compiled trojan like this
>would not have access to the password database contents in order
>to perform validation.
>
>If the trojan is SUID, then they already have root, and don't need
>the trojan.
>
>Either way, there's no risk to just typing whatever crap you want
>to at it, including a message calling the user an idiot, the first
>time, to see if it's going to let you in without you giving it the
>real root password.
>
Validating a root password is possible with other means in many cases,
if not always. OpenSSH sshd is a good example. Even with
PermitRootLogin set to no, the attacker can differentiate whether the
password has been accepted or not.
If attacker is able enough, he could also run a hacked version of Xnest
on port 6000+N and the real xscreensaver on :N.0 for a suitable N.
Attacker would feed the real xscreensaver with the captured password and
see if the real xscreensaver releases the server grab.
Eugene
More information about the freebsd-current
mailing list