xscreensaver bug?

Terry Lambert tlambert2 at mindspring.com
Sat Nov 15 14:53:48 PST 2003

"Eugene M. Kim" wrote:
> Validating a root password is possible with other means in many cases,
> if not always.  OpenSSH sshd is a good example.  Even with
> PermitRootLogin set to no, the attacker can differentiate whether the
> password has been accepted or not.

That's because the software in question sucks, not because it's a
natural property of all such software.

> If attacker is able enough, he could also run a hacked version of Xnest
> on port 6000+N and the real xscreensaver on :N.0 for a suitable N.
> Attacker would feed the real xscreensaver with the captured password and
> see if the real xscreensaver releases the server grab.

Yeah, and any user on the system could put up a trojan that put up
a window that pretended to be the login screen instead of a screen
saverm since that would be much asier, and harvest passwords that
way, instead, after pretending the first login failed.

I don't really see your point... any time you have more than one
user using the same console, it's possible to create a trojan.

-- Terry

More information about the freebsd-current mailing list